25.7.8 Unbound blocklist source nets

[meyergru]

Mainly, none of the RFC authors ever considered that with the abundance of IPv6 addresses, any ISP would ever even think of using dynamic prefixes. Alas, that is the reality for most consumer setups now.

[Patrick M. Hausen]

Mainly, none of the RFC authors ever considered that with the abundance of IPv6 addresses, any ISP would ever even think of using dynamic prefixes. Alas, that is the reality for most consumer setups now.

Nailed it!

[franco]

True, but it doesn't explain why e.g. Unbound or Kea do not have dynamic prefix support built in as of today.


Cheers,
Franco

[Monviech (Cedrik)]

Maybe people should open github issues with Kea and Unbound then asking for it. :0

Could be the projects are simply unaware.

[franco]

Maybe if OpenWrt and OPNsense would push for that it would gain some traction, yet it's also a literal uphill battle while software authors try to keep their scope small at the price of some else dealing with all the consequences.


Cheers,
Franco

[Monviech (Cedrik)]

At least for Unbound the fix is rather simple from a configuration perspective.

Reject humanity (IPv6 DNS Server IP), return to monkey (IPv4 only DNS internally)

Should not hurt the client too much in dual stack networks.

So IPv6 reject rule in PF for DNS.

[OPNenthu]

Well that's... a solution.  I'd like to evolve from monkey someday soon, though :)

I might need to get on the phone with my ISP and inquire about this.  I noticed my prefix hasn't changed in quite some time, so I wonder if they've changed a policy and now make the prefixes sticky.

[Monviech (Cedrik)]

Better do not call them and do not wake sleeping dogs. :)

[meyergru]

...or else they'll fix that problem! ;-)