mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-14 22:30:01 -04:00
updated IPv6 API issues
This commit is contained in:
Tatuya JINMEI 神明達哉
parent
f697150aef
commit
3da9aeb807
2 changed files with 36 additions and 18 deletions
|
|
@ -2,7 +2,7 @@
|
|||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
|
||||
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.248 2004/06/11 00:13:41 marka Exp $ -->
|
||||
<!-- File: $Id: Bv9ARM-book.xml,v 1.249 2004/07/29 21:40:01 jinmei Exp $ -->
|
||||
|
||||
<book>
|
||||
<title>BIND 9 Administrator Reference Manual</title>
|
||||
|
|
@ -3495,11 +3495,16 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
|
|||
<para>If no <command>listen-on</command> is specified, the
|
||||
server will listen on port 53 on all interfaces.</para>
|
||||
|
||||
<para>By default, the server does not bind a separate socket to each
|
||||
IPv6 interface address as it does for IPv4. Instead, it listens on the
|
||||
IPv6 wildcard address.
|
||||
Alternatively, a list of IPv6 addresses can be specified, in which case
|
||||
the server listens on a separate socket for each specified address.</para>
|
||||
<para>If the operating system has enough API support for IPv6
|
||||
(specifically if it conforms to RFC 3493), the server does not bind a
|
||||
separate socket to each IPv6 interface address as it does for IPv4.
|
||||
Instead, it listens on the IPv6 wildcard address.
|
||||
A list of particular IPv6 addresses can also be specified, in which case
|
||||
the server listens on a separate socket for each specified address,
|
||||
regardless of whether the desired API is supported by the system.</para>
|
||||
|
||||
<para>If the system only has incomplete API support for IPv6,
|
||||
the behavior is the same as that for IPv4.</para>
|
||||
|
||||
<para>Multiple <command>listen-on-v6</command> options can be used.
|
||||
For example,</para>
|
||||
|
|
|
|||
|
|
@ -29,27 +29,40 @@ In the original drafts of the ipv6 RFC documents, binding an ipv6
|
|||
socket to the ipv6 wildcard address would also cause the socket to
|
||||
accept ipv4 connections and datagrams. When an ipv4 packet is
|
||||
received on these systems, it is mapped into an ipv6 address. For
|
||||
example, 1.2.3.4 would be mapped into ffff::1.2.3.4. The intent of
|
||||
example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4. The intent of
|
||||
this mapping was to make transition from an ipv4-only application into
|
||||
ipv6 easier, by only requiring one socket to be open on a given port.
|
||||
|
||||
Later, it was discovered that this was generally a bad idea. For one,
|
||||
many firewalls will block connection to 1.2.3.4, but will let through
|
||||
ffff::1.2.3.4. This, of course, is bad. Also, access control lists
|
||||
::ffff:1.2.3.4. This, of course, is bad. Also, access control lists
|
||||
written to accept only ipv4 addresses were suddenly ignored unless
|
||||
they were rewritten to handle the ipv6 mapped addresses as well.
|
||||
|
||||
In bind9, we always bind to the ipv6 wildcard port for both TCP and
|
||||
UDP, and specific addresses for ipv4 sockets. This causes some
|
||||
interesting behavior depending on the system implementation of ipv6.
|
||||
Partly because of these problems, the latest IPv6 API introduces an
|
||||
explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
|
||||
mapped address usage.
|
||||
|
||||
In bind9, we first checks if both the advanced API and the IPV6_V6ONLY
|
||||
socket option are both available. If both of them are available,
|
||||
bind9 named will bind to the ipv6 wildcard port for both TCP and
|
||||
UDP. Otherwise named will make a warning and try to bind to all
|
||||
available ipv6 addresses separately.
|
||||
|
||||
In any case, bind9 named binds to specific addresses for ipv4 sockets.
|
||||
|
||||
The followings are historical notes when we always bound to the ipv6
|
||||
wildcard port regardless of the availability of the API support.
|
||||
These problems should not happen with the closer checks above.
|
||||
|
||||
|
||||
IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
|
||||
---------------------------------------------------------------
|
||||
|
||||
The only OS which seems to do this is linux. If an ipv6 socket is
|
||||
bound to the ipv6 wildcard socket, and a specific ipv4 socket is
|
||||
later bound (say, to 1.2.3.4 port 53) the ipv4 binding will fail.
|
||||
The only OS which seems to do this is (some kernel versions of) linux.
|
||||
If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
|
||||
ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
|
||||
will fail.
|
||||
|
||||
What this means to bind9 is that the application will log warnings
|
||||
about being unable to bind to a socket because the address is already
|
||||
|
|
@ -90,11 +103,11 @@ packets.
|
|||
RELEVANT RFCs
|
||||
-------------
|
||||
|
||||
2373: IP Version 6 Addressing Architecture
|
||||
3513: Internet Protocol Version 6 (IPv6) Addressing Architecture
|
||||
|
||||
2553: Basic Socket Interface Extensions for IPv6
|
||||
3943: Basic Socket Interface Extensions for IPv6
|
||||
|
||||
draft-ietf-ipngwg-rfc2292bis-01: Advanced Sockets API for IPv6 (draft)
|
||||
3542: Advanced Sockets Application Program Interface (API) for IPv6
|
||||
|
||||
|
||||
$Id: ipv6,v 1.6 2004/03/05 05:04:53 marka Exp $
|
||||
$Id: ipv6,v 1.7 2004/07/29 21:40:02 jinmei Exp $
|
||||
|
|
|
|||
Loading…
Reference in a new issue