Skip to content

iana: Remove hardcoded multicast prefixes #8456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jprenken merged 1 commit into from
Oct 31, 2025
Merged

iana: Remove hardcoded multicast prefixes #8456

jprenken merged 1 commit into from
Oct 31, 2025

Conversation

@jprenken
Copy link
Contributor

@jprenken jprenken commented Oct 24, 2025
edited
Loading

Remove multicast IP prefixes (RFCs 3171 & 4291) from the hardcoded list of reserved addresses in the iana package.

These prefixes are not listed in IANA's Special-Purpose Address Registries or otherwise forbidden by the Baseline Requirements, so hardcoding them in Boulder probably isn't appropriate.

Instead, operators can configure them in AdminBlockedPrefixes to prevent their use as identifiers. For Let's Encrypt, this has been done in IN-11854. They can also use their resolvers' configuration (e.g. Unbound's private-address and do-not-query-address directives) to exclude them from DNS query results. For Let's Encrypt, this has been done for a long time (since before the current config's first blame).

Part of #8237

@jprenken
iana: Remove hardcoded multicast prefixes
24ed925 
Remove multicast IP prefixes (RFCs 3171 & 4291) from the hardcoded list of reserved addresses in the iana package.

These prefixes are not listed in IANA's Special-Purpose Address Registries or otherwise forbidden by the Baseline Requirements, so hardcoding them in Boulder probably isn't appropriate.

Instead, operators can configure them in `AdminBlockedPrefixes` to prevent their use as identifiers, and use their resolvers' configuration (e.g. Unbound's `private-address` and `do-not-query-address` directives) to exclude them from DNS query results.

Part of #8237
@jprenken jprenken requested a review from a team as a code owner October 24, 2025 03:11
@jprenken jprenken requested a review from aarongable October 24, 2025 03:11
aarongable
aarongable approved these changes Oct 27, 2025
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but given that this requires a config change to retain the same functionality, please indicate in the PR description which internal ticket documents that change and whether it has been completed yet.

@aarongable aarongable requested review from a team and jsha and removed request for a team October 27, 2025 21:56
@jprenken jprenken merged commit 12d5d1c into main Oct 31, 2025
12 checks passed
@jprenken jprenken deleted the multicast branch October 31, 2025 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aarongable aarongable aarongable approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha jsha is a code owner automatically assigned from letsencrypt/boulder-developers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jprenken @aarongable @beautifulentropy