Presentation on theme: "29jun2005Bill Manning IPv6 and DNS why is the root not available over IPV6 transport and when will it be fixed? bill manning - LACNIC-VIII."— Presentation transcript:
29jun2005Bill Manning IPv6 and DNS why is the root not available over IPV6 transport and when will it be fixed? bill manning - LACNIC-VIII
29jun2005Bill Manning Before a Priming Query §it is proposed to augment the existing root servers with IPv6 capability in their transport and in their DNS server code. Once these capabilities are in place, it is expected to formally announce the availability of the root zone over both IP4 and IPv6 transport and using both A and AAAA resource records. §seven of the 13 root servers have IPv6 transport capability and all are running IPv6 capable code. so what's the problem? §Issues surrounding why there is no IPv6 native access to root nameservers YET….
29jun2005Bill Manning DNS Resolution name server au name server gov.au name server gbrmpa.gov.au name server IMR resolver QueryReply aunzsg govedu saipsgbrmpa Query girigiri.gbrmpa.gov.au Refer to au NS Query girigiri.gbrmpa.gov.au Refer to gov.au NS Refer to gbrmpa.gov.au NS Query girigiri.gbrmpa.gov.au Query girigiri.gbrmpa.gov.au Address of girigiri.gbrmpa.gov.au A hints
29jun2005Bill Manning The Priming Query §The first question asked by an IMR to the root servers §Based on the belt&suspenders data - in the case of UNIX, the hints or root.cache file. §What is in this file anyway? l glue - a list of server names and the associated IP addresses. Today only IPv4
29jun2005Bill Manning Root Hints ; formerly NS.INTERNIC.NET ; IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET A ; ; formerly NS1.ISI.EDU ; NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET A ;
29jun2005Bill Manning What will happen when IPv6 data is added to this file? §the problem lies not with the augmented root servers or the zone file, but with the systems that generate priming queries NS Z.IP6.INT. Z.IP6.INT A Z.IP6.INT AAAA 3ffe:0:1::c620:242 ; NS Y.IP6.INT. Y.IP6.INT AAAA 3ffe:50e::1
29jun2005Bill Manning The agony of choice §How does the IMR select which protocol to use first? l Some use IPv4 first, then IPv6, some use IPv6 first, then IPv4. l How are mapped IPv4 addresses interpreted? §Does the IMR DNS software support IPv6? l with over 146 variants, its tough to tell. l Some audits indicate BIND is/remains the predominant version for authoritative servers… What about the IMRs?
29jun2005Bill Manning How many IMRs are there and what are they running? §IMRs are not listed in any configuration file. §Need to audit. l Query logs were taken from B, H, and J root servers. logs were 4, 1, and 24 hours l Sort out the priming queries (about 3% of total traffic, but that is another talk) l Fingerprint the sorted servers to identify DNS variant.
29jun2005Bill Manning IMR distribution § H IMRs, 14 variants, 123 running non-AAAA compliant §J IMRs, 141 variants, running non-AAAA compliant §B IMRs, 51 variants, running non-AAAA compliant §32,979 servers of 87,764 or 32% of IMRs appear unable to properly process AAAA addresses
29jun2005Bill Manning DNS Resolution name server au name server gov.au name server gbrmpa.gov.au name server IMR resolver QueryReply aunzsg govedu saipsgbrmpa Query girigiri.gbrmpa.gov.au Refer to au NS Query girigiri.gbrmpa.gov.au Refer to gov.au NS Refer to gbrmpa.gov.au NS Query girigiri.gbrmpa.gov.au Query girigiri.gbrmpa.gov.au Address of girigiri.gbrmpa.gov.au AAAA/A hints
29jun2005Bill Manning Known evolution for BIND §pre 9.2.0a1 - l bug If the root hints contained only AAAA addresses, named would be unable to perform resolution. l bug The ADB didn't find AAAA glue in a zone unless A6 glue was also present §pre l bug don't pre-fetch missing additional address records if we have one of A/AAAA l bug don't lookup A/AAAA records for nameservers if we don't support the address at the transport level
29jun2005Bill Manning For these systems with old code.. §Will an IMR re-prime if the first address it sees is a AAAA record? §Early testing indicates that for two tested versions of BIND, the answer is NO. These tested versions comprise 2.3% of the total tested IMR base l e.g. the nameserver STOPS and needs to be restarted (and hope that a AAAA record does not show up)
29jun2005Bill Manning What we have not tested §IMR OS capabilities §Most DNS variants §Extensive searches for more comprehensive IMR lists
29jun2005Bill Manning Questions? §Presuming the 32% is a valid number, is it safe to recommend to RSSAC & ICANN to add IPv6 addresses to the root servers and make this publicly available? §What is the IMR client base? A given IMR may be the only recursive view into the DNS for thousands of endsystems. §Other issues w/ old BIND (and by extrapoltation - other DNS code?) :: l Upgrading - even in the face of known security lapses - is nearly impossible to force. What do you think? Carrot? - delay native IPv6 - maintain stability Stick? - add native IPv6 - force software upgrades