Conversation

Notices

1. Embed this notice
   Alex Haydock (alexhaydock@infosec.exchange)'s status on Wednesday, 18-Dec-2024 20:44:01 JST Alex Haydock

   If you've deployed an IPv6-only or IPv6-mostly network and you're having issues with Apple devices 'forgetting' they have DNS servers after they've been in sleep mode, I described the bug and some workarounds in this post since I haven't seen anyone else do it yet:

   https://blog.infected.systems/posts/2024-12-18-working-around-macos-and-ios-rdnss-expiry-bug/

   #ipv6 #ipv6only

   • GNU Too repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 18-Dec-2024 20:47:47 JST Rich Felker

     in reply to

     @alexhaydock So 🤦 that it's still normal to accept nameservers from DHCP/v6 autoconf rather than running DNS on localhost and only pulling from trusted upstreams. v6 shouldn't have even included a DNS autoconf mechanism.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 18-Dec-2024 20:58:59 JST Rich Felker

     in reply to

     @alexhaydock Default can be none at all, querying root servers directly. Add any trusted upstreams you want. None can spoof DNSSEC-governed zones anyway because that's the whole point of running DNS on localhost (validating).

   • Embed this notice
     Alex Haydock (alexhaydock@infosec.exchange)'s status on Wednesday, 18-Dec-2024 20:59:00 JST Alex Haydock

     in reply to

     • Rich Felker

     @dalias Definitely sounds much nicer from a security perspective.

     What would be a 'trusted upstream' in your mind though? Sounds like it'd be a real challenge for a project to select their upstream without any controversy. I remember a fair bit of it when Mozilla partnered with Cloudflare to provide DoH.