[dns-operations] Link-local IP addresses for a resolver?

Mark Andrews marka at isc.org
Wed Sep 25 01:11:46 UTC 2019



> On 25 Sep 2019, at 10:53 am, Paul Ebersman <list-dns-operations at dragon.net> wrote:
> 
> marka> When a *ISP* advertises a DNS server to its *customers* IT SHOULD
> marka> WORK FOR ALL OF THE CUSTOMER'S MACHINES!
> 
> That doesn't mean it can't be ULA. And it would be hideous but you can
> use LL if you flatten the broadcast domain. There are lots of reasons
> why this isn't the best idea but you don't know everyone's network, so
> saying "that's bad and I'd never do it so we shouldn't support it" at
> the network layer isn't a reasonable answer.

Yes, I don’t known the ISP’s network and I don’t know the customer’s network
but neither does the ISP know the customer’s network.

There is nothing wrong with a ISP advertising LL or ULA to its own machines
excluding CPE routes assuming the ISP owns them.  Similarly there is nothing
wrong with a customer advertising LL or ULA to its own machines.  It is the
cross site nature of the ISP/customer relationship which makes it wrong for
this particular scenario.

> marka> The CPE is a SITE boundary.  It is also a Link-Local
> marka> Boundary. ULA source packets DO NOT cross the CPE by default it
> marka> the CPE is properly configured.  Link-Local packets should NEVER
> marka> cross the CPE as it is NOT A BRIDGE/SWITCH but is a router.
> 
> No need to shout... And the same could be said of RFC 1918 but ISPs have
> used that for thousands of homes, crossing thousands of CPEs. Not the
> best choice and not your choice but it does work for some folks.

Advertising RFC 1918 address as DNS servers by the ISP is also wrong as
the ISP has zero knowledge of which addresses are in use by the customer
and is actually prohibited by RFC1918 as they are being advertised outside
of the site.  It doesn’t mean that there are not ISP’s that do that but
it isn’t expected to work.  A good CPE will filter RFC 1918 source packet
inbound and NAT them outbound so the RFC 1918 address are not visible to
other sites.

> "site boundary" and what is "local" in ULA have never been well defined
> because of this.

CPE routers being the exception.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list