Hi Fernando,
At 16:30 02-04-2013, Fernando Gont wrote:
Happy eyeballs is about HTTP. But part of the approach predates "Happy
Eyeballs" -- please see RFC5461.
Ok.
Removing the AAAA records when you're not going to allow such
connectivity reduces the potential problem (at the end of the day, this
is kind of the whitelisting approach that has been applied to the
general case by content providers -- with the caveat that in this case
you positively know that such connectivity is not present).
Here's an extract from RFC 4924:
'In particular, the DNSSEC protocol described in "Protocol
Modifications for the DNS Security Extensions" [RFC4035] has been
designed to verify that DNS information has not been modified between
the moment they have been published on an authoritative server and
the moment the validation takes place. Since that verification can
take place at the application level, any modification by a recursive
forwarder or other intermediary will cause validation failures,
disabling the improved security that DNSSEC is intended to provide.'
I am ok with resolving the problem of the day. If I am of the
opinion that it may cause problems in the long run I'll mention
it. I am not inclined to do anything more than that.
Regards,
-sm