[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

On Tue, Jul 12, 2011 at 4:43 PM, Henrique de Moraes Holschuh
<hmh@debian.org> wrote:
> On Tue, 12 Jul 2011, Tom H wrote:


>> IANA also maintains some server(s) for RFC1918 leaks. More or less ten
>> years ago, I was at a company where, one day, none of the Mac boxes
>> could telnet to or mount AFP shares on the Solaris boxes because that
>> IANA service was down and it was providing reverse DNS for RFC1918
>> addresses...
>
> That would be AS112.  The AS112 project provides an anycast cloud for the
> three authoritative DNSes that take care of the IPv4 private, documentation
> and link-local addresses.  They'll soon handle some of the IPv6 reverse
> address space as well.
>
> Note that AS112 clouds only route the IPv4 prefix 192.175.48.0/24, where the
> BLACKHOLE-1.IANA.ORG, BLACKHOLE-2.IANA.ORG and PRISONER.IANA.ORG DNS servers
> can be found, i.e. they do NOT provide a sinkhole for the IPv4 private
> address space, just reverse DNS service.

That was the problem. That company didn't have a reverse DNS zone.


> http://public.as112.net/
>
> http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6304&topmenu=true&document=draft-ietf-dnsop-as112-ops-09&docreplaces=draft-ietf-dnsop-as112-ops-09&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b}
>
> And there is the "AS112 operator's relief" RFC:
> http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6305&topmenu=true&document=draft-ietf-dnsop-as112-under-attack-help-help-06&docreplaces=draft-ietf-dnsop-as112-under-attack-help-help-06&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b}
>
> Sorry about the long URLs, RFCs-to-be don't have nice short URLs (or I don't
> know them).

Your links didn't work for me but Google yielded (from them):
http://tools.ietf.org/html/draft-ietf-dnsop-as112-ops-09
http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help-06
which I think are the same (I think!). Thanks.


> PS: that does mean the company where you worked at had incompetent DNS
> administrators (if they had any at all).

If incompetent is equivalent to the Windows DNS admins saying "this is
a Unix problem", then yes...
Reply to: