Here is the write up, in case anyone is interested:
http://zeroprobability.blogspot.co.uk/2013/06/a-practical-guide-to-setting-up-ipv6.html
-- ab1
A couple of small comments. I would recommend against blocking ICMPv6 echo requests. Blocking them is not only making debugging harder, it also breaks some tunnelling protocols like for example Teredo. Also it sounds a bit strange to me, if they really made DNS64 synthesize AAAA records by default, even if there is already an AAAA record. So what exactly does that default setting do? Does it replace the existing AAAA records with a synthesized AAAA record? Or will it add the synthesized AAAA record such that the reply contains both real and synthetic AAAA records?
Yes, good point on ICMP, I will update the guide.
Regarding AAAA synthesis/NAT64, I just re-checked the behaviour, which is as follows:
--- with
config system nat64
set status enable
set always-synthesize-aaaa-record enable #implicit default setting
end
$ dig aaaa www.google.com
; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19157
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN AAAA
;; ANSWER SECTION:
www.google.com. 157 IN AAAA 64:ff9b::adc2:2991
www.google.com. 157 IN AAAA 64:ff9b::adc2:2992
www.google.com. 157 IN AAAA 64:ff9b::adc2:2994
www.google.com. 157 IN AAAA 64:ff9b::adc2:2990
www.google.com. 157 IN AAAA 64:ff9b::adc2:2993
...
--- with
config system nat64
set status enable
set always-synthesize-aaaa-record disable
end
$ dig aaaa www.google.com
; <<>> DiG 9.7.3 <<>> aaaa www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN AAAA
;; ANSWER SECTION:
www.google.com. 261 IN AAAA 2a00:1450:4009:808::1014
...
So it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.
Not a good default in my opinion, but that is how it behaves with the current firmware.
-- ab1
Quote from: Chainik on June 26, 2013, 03:27:50 AMSo it looks like the default setting will simply ignore existing AAAA records and replace them with synthesized ones.
Not a good default in my opinion, but that is how it behaves with the current firmware.
It's a very bad default. I don't know what they were thinking when choosing that as the default.