DiG "unexpected source" with a Subnet-Router anycast address

Kevin Darcy kcd at chrysler.com
Mon Sep 12 16:54:48 UTC 2011 

On 9/9/2011 5:15 AM, François-Xavier Le Bail wrote:
> --- On Wed, 9/7/11, Kevin Darcy<kcd at chrysler.com>  wrote:
>
>> Why are you trying to use the SRAA
>> for DNS resolution? SRAA has a
>> special meaning to network-infrastructure devices; I don't
>> think it was
>> ever intended for anycasting general network services. Just
>> pick one of
>> your global-unicast address, and anycast that instead.
> We are testing a setup where the DNS querier don't know the GUA
> but know the prefix (the GUA is EUI-64 generated, based on prefix).
> The SRAA seems perfect for this use case.
Well, it appears that you managed to select the one anycast address out 
of the quintillions that are available in IPv6 that you've proven 
*won't*work* for the purpose you need.

Pick something else in the Global Unicast range and be happy. Arrange 
the EUI-64 bits in appropriate ways if you need to (or just use a 
randomly-generated IA and call it a "privacy extension" :-)
> Dig could have an option for "unexpected source" control based on the prefix to manage SRAA case.
No, relaxing the response-source rule for *any* DNS resolver leads to 
erroneous query results and response-spoofing opportunities. The rule 
exists for good reasons.

You should either a) pursue with your network hardware vendor why its 
device is responding to a query to the SRAA with a different source 
address, thus breaking the rules of DNS resolution, or b) select a 
working resolver address in the Global Unicast range and be happy.

                                                                         
                                                                         
         - Kevin
> [...]
>
>> Note that RFC 4291 obsoletes RFC 3513 which obsoletes RFC
>> 2373.
> Right, but no changes about "Subnet-Router anycast address" in RFC 4291.
Agreed, I was just pointing you to the latest revision of the document.

                                                                         
                                                                         
- Kevin
> Francois-Xavier
>
>> On 9/7/2011 10:48 AM, François-Xavier Le Bail wrote:
>>> Hello,
>>>
>>> I send with DiG 9.7.3 a request to a router/DNS
>> forwarder with the Subnet-Router anycast address of the
>> router (SRAA, RFC 2373, § 2.6.1).
>>> The answer is :
>>> reply from unexpected source:<GUA of the
>> router>#53, expected<SRAA>#53
>>> Is there an option to relax the IPv6 address
>> request/reply control for this use case ?
>>> Best regards,
>>> François-Xavier Le Bail
>
>
>
>

More information about the bind-users mailing list