[BALUG-Admin] DNS slaves for BALUG? :-) ... IPv6 issue somewhere between master and slaves?

Rick Moen rick@linuxmafia.com
Sat Feb 20 19:59:11 PST 2016


Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> No problem, I'll take a look, and let you know what I find.
> 
> Quite likely it's lack of IPv6 or some other IPv6 issue
> on slave end(s)....

Quite so. 

I have a very vague recollection of (possibly) having deliberately
disabled IPv6 in the system network stack -- on the excellent grounds
that I'm making no use of it, and network functions you're not using
should be disabled as part of a comprehensive security policy.

FWIW, I cannot find where I did that (if I did that).  I find nothing in
/etc/sysctl.conf (there being nothing in /etc/sysctl.d/ , and nothing in
/etc/modprobe.d/aliases.conf .

Actually, /etc/modprobe.d/aliases.conf.dpkg-old has 'alias net-pf-10
off' , but /etc/modprobe.d/aliases.conf does not.

If it turns out that this is an IPv6 issue on slave end, then I'd
suggest leaving it until my linuxmafia.com rebuild.

I'm frankly, really not sold on the utility of IPv6 for the
linuxmafia.com host at this time.  There are no relevant use-cases for
which it's required.  Therefore, I might _even_ deliberately disable it
on the rebuilt host (whether it is on the current host or not).

That is, I tend to strongly concur with the standard advice that if you
aren't using a network service, you should shut it off.  IPv6 is a
network service (in effect, or an additional flavour of existing
services).  As
http://www.esecurityplanet.com/security-how-to/Linux-Hardening---Quick-Wins-3938786.htm
puts it:

  Disable IPv6: Unless you know that you need it, disabling IPv6 is a
  good idea as it is hard to monitor, making it attractive for hackers,
  and it's also hard to spot security vulnerabilities in the protocol.




More information about the BALUG-Admin mailing list