150 likes | 295 Views
IPv6 and DNS. why is the root not available over IPV6 transport and when will it be fixed? bill manning - LACNIC-VIII. Before a Priming Query.
E N D
IPv6 and DNS why is the root not available over IPV6 transport and when will it be fixed? bill manning - LACNIC-VIII Bill Manning <bmanning@ep.net>
Before a Priming Query • it is proposed to augment the existing root servers with IPv6 capability in their transport and in their DNS server code. Once these capabilities are in place, it is expected to formally announce the availability of the root zone over both IP4 and IPv6 transport and using both A and AAAA resource records. • seven of the 13 root servers have IPv6 transport capability and all are running IPv6 capable code. so what's the problem? • Issues surrounding why there is no IPv6 native access to root nameservers YET…. Bill Manning <bmanning@ep.net>
DNS Resolution “ ” Query girigiri.gbrmpa.gov.au “ ” name server Refer to au NS A hints IMR Query girigiri.gbrmpa.gov.au au name server Refer to gov.au NS au nz sg Query girigiri.gbrmpa.gov.au gov.au name server gov edu Refer to gbrmpa.gov.au NS Query girigiri.gbrmpa.gov.au Query Reply gbrmpa.gov.au name server Address of girigiri.gbrmpa.gov.au sa ips gbrmpa resolver Bill Manning <bmanning@ep.net>
The first question asked by an IMR to the root servers Based on the “belt&suspenders” data - in the case of UNIX, the “hints” or root.cache file. What is in this file anyway? “glue” - a list of server names and the associated IP addresses. Today only IPv4 The Priming Query Bill Manning <bmanning@ep.net>
Root Hints ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 ; Bill Manning <bmanning@ep.net>
the problem lies not with the augmented root servers or the zone file, but with the systems that generate priming queries. What will happen when IPv6 data is added to this file? . 3600000 NS Z.IP6.INT. Z.IP6.INT. 3600000 A 198.32.2.66 Z.IP6.INT. 3600000 AAAA 3ffe:0:1::c620:242 ; . 3600000 NS Y.IP6.INT. Y.IP6.INT. 3600000 AAAA 3ffe:50e::1 Bill Manning <bmanning@ep.net>
How does the IMR select which protocol to use first? Some use IPv4 first, then IPv6, some use IPv6 first, then IPv4. How are mapped IPv4 addresses interpreted? Does the IMR DNS software support IPv6? with over 146 variants, its tough to tell. Some audits indicate BIND is/remains the predominant version for authoritative servers… What about the IMR’s? The agony of choice Bill Manning <bmanning@ep.net>
IMRs are not listed in any configuration file. Need to audit. Query logs were taken from B, H, and J root servers. logs were 4, 1, and 24 hours Sort out the priming queries (about 3% of total traffic, but that is another talk) Fingerprint the sorted servers to identify DNS variant. How many IMRs are there and what are they running? Bill Manning <bmanning@ep.net>
H - 243 IMRs, 14 variants, 123 running non-AAAA compliant J - 65698 IMRs, 141 variants, 22300 running non-AAAA compliant B - 21823 IMRs, 51 variants, 10556 running non-AAAA compliant 32,979 servers of 87,764 or 32% of IMRs appear unable to properly process AAAA addresses IMR distribution Bill Manning <bmanning@ep.net>
DNS Resolution “ ” Query girigiri.gbrmpa.gov.au “ ” name server Refer to au NS AAAA/A hints IMR Query girigiri.gbrmpa.gov.au au name server Refer to gov.au NS au nz sg Query girigiri.gbrmpa.gov.au gov.au name server gov edu Refer to gbrmpa.gov.au NS Query girigiri.gbrmpa.gov.au Query Reply gbrmpa.gov.au name server Address of girigiri.gbrmpa.gov.au sa ips gbrmpa resolver Bill Manning <bmanning@ep.net>
pre 9.2.0a1 - bug 628 - If the root hints contained only AAAA addresses, named would be unable to perform resolution. bug 799 - The ADB didn't find AAAA glue in a zone unless A6 glue was also present pre 8.4.3 - bug 1617 - don't pre-fetch missing additional address records if we have one of A/AAAA bug 1613 - don't lookup A/AAAA records for nameservers if we don't support the address at the transport level Known evolution for BIND Bill Manning <bmanning@ep.net>
Will an IMR “re-prime” if the first address it sees is a AAAA record? Early testing indicates that for two tested versions of BIND, the answer is NO. These tested versions comprise 2.3% of the total tested IMR base e.g. the nameserver STOPS and needs to be restarted (and hope that a AAAA record does not show up) For these systems with old code.. Bill Manning <bmanning@ep.net>
IMR OS capabilities Most DNS variants Extensive searches for more comprehensive IMR lists What we have not tested Bill Manning <bmanning@ep.net>
Presuming the 32% is a valid number, is it safe to recommend to RSSAC & ICANN to add IPv6 addresses to the root servers and make this publicly available? What is the IMR client base? A given IMR may be the only recursive view into the DNS for thousands of endsystems. Other issues w/ old BIND (and by extrapoltation - other DNS code?) :: http://www.isc.org/sw/bind/bind4.php Upgrading - even in the face of known security lapses - is nearly impossible to force. What do you think? Carrot? - delay native IPv6 - maintain stability Stick? - add native IPv6 - force software upgrades Questions? Bill Manning <bmanning@ep.net>
Thank You Bill Manning <bmanning@ep.net>