9

I have a mail server for which I need to create the AAAA DNS record and update the SPF record to include its IPv6 address.

An ifconfig command shows a Scope:Link IPv6 address and a Scope:Global IPv6 address. Which one should I put in the AAAA and SPF records?

The Scope:Global is a /128 address and the scope:Link a /64.

The Scope:Link address is a FE80 address which means none routable. Does it mean I have to put the Scope:Global address?

kasperd
  • 30,455
  • 17
  • 76
  • 124
chmike
  • 429
  • 2
  • 5
  • 18

2 Answers2

13

Yes, precisely so. The globally-scoped address is the one you advertise to the world (which in this case, means list in your AAAA record). The link-scoped address is a very useful feature of ipv6 which makes setting up point-to-point links elegant, but it isn't, as you say, globally-routable, and advertising it to the world will not get you any visitors.

As for SPF, you would certainly want to list the globally-scoped address. I can't offhand think of any circumstances under which you would preferentially make connections to another local mail server from your link-scoped address, so I see no point in listing it, but others might know better than I (I'm talking to you, @SanderStefann).

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 3
    I feel summoned :) – Sander Steffann Jan 30 '16 at 14:47
  • For anything "on the internet" you always use global scope addresses (and only a subset of those. I.e. ULA addresses are global scope but not routed on the internet). So in public DNS records etc the addresses are almost always from 2000::/3. – Sander Steffann Jan 30 '16 at 14:53
  • 2
    Besides that: when running a mail server make sure you use static addresses for sending mail. If your server has IPv6 SLAAC enabled and your mail server software isn't configured to use a fixed source address when sending mail then it will make outbound connections from your temporary IPv6 addresses, which will probably not have reverse DNS set up and will not match your SPF record. So always use a fixed source address and put that in SPF, reverse DNS etc. – Sander Steffann Jan 30 '16 at 14:57
  • The part about **your globally-scoped address being an fe80:: address** looks like a typo in the question. – kasperd Jan 30 '16 at 16:47
  • Indeed. It was a typo. Sorry. I fix it. – chmike Jan 30 '16 at 16:52
  • OK, I've amended my answer accordingly. – MadHatter Jan 30 '16 at 19:50
0

This question applies to more than mail servers.

In the general case, only Scope:Global addresses should appear in AAAA records.

Otherwise you run into cases where a distant host resolves the name, gets the Scope:Link address (fe80...) and will have no route to the target host. This applies to any host, not just servers.

(I'm just adding this additional info in case people are searching for "fe80 addresses in AAAA" and might be lead to believe that this is mail hosts only, since that's the original question.)

tep
  • 304
  • 1
  • 5