athompso at athompso.net
Thu May 12 21:10:22 CDT 2011
On topic, one of the biggest problems with dual-stack co-existence is a
"you can't get there from here" problem that causes intermittent (and
sometimes permanent) DNS failures.
A fairly typical case: a domain (example.com) which is delegated to an
IPv4-only nameserver (ns1.example.com).
(Assume one nameserver for simplicity of explanation; always use at least
two in the real world.)
A subdomain (ad.example.com) which is delegated to a dual-stack nameserver
(Windows Server 2008 R2, for example, and let's call it
A IPv6-capable client (e.g. any Windows Vista or Windows 7 or Mac OS X or
most Linuxes) attempting to resolve host.ad.example.com will recurse to
ns1.example.com, which will provide the referral along with the IPv4 glue
records for dc.ad.example.com (remember, ns1.example.com is NOT
A fairly typical client resolver will then do some sanity checking, and
obtain more details from dc.ad.example.com before sending the ultimate A
query for host.ad.example.com. At this point, dc.ad.example.com reports
*its own* IPv6 address to the IPv6-enabled client, even though they're
still speaking IPv4.
Can anyone guess what happens next?
One of two scenarios, non-deterministically (AFAIK):
1. The resolver client suddenly decides to talk IPv6 to the authoritative
nameserver "dc.ad.example.com", since it now knows its AAAA record, and
IPv6 is obviously a better protocol, right?, fails to contact the
nameserver over IPv6 and decides said nameserver is dead, and returns an
ENOTFOUND or something similar to the requesting application.
2. The resolver client maintains its temporary cache of the nameserver's
IPv4 address, and successfully obtains both A and AAAA records (again,
this is typical for a gethostbyname() call) for the ultimate destination
of host.ad.example.com. Then the application attempts to open a socket...
which the OS happily attempts to do using IPv6.
This all works great as long as there is IPv6 connectivity between the
client resolver, the authoritative nameserver, AND the destination host.
If there isn't, then you've just blackholed your subdomain, just by
turning on IPv6. Surprise!
I'm told this is a very common problem in the IPv6 early-adopter world,
and there is no solution for it yet. One partial solution is to use
static IPv6 addresses in the 4to6-transition style (where the IPv4 address
is embedded in the last 4 bytes of the IPv6 address), apparently many
client IP stacks treat those semi-magically. I don't understand the
details of that yet, but IMHO that kind of invalidates the whole point of
turning on IPv6 in the first place...
> -----Original Message-----
> From: roundtable-bounces at muug.mb.ca [mailto:roundtable-
> bounces at muug.mb.ca] On Behalf Of Sean Cody
> Sent: Thursday, May 12, 2011 16:38
> To: Continuation of Round Table discussion
> Subject: Re: [RndTbl] IPv6
> Almost on cue... O'Reilly's ebook deal today is "DNS and Bind on IPv6."
> Sean (mobile)
> On 2011-05-12, at 11:37 AM, "Gilbert E. Detillieux"
> <gedetil at cs.umanitoba.ca> wrote:
> > As an example of how things can be more complicated than might
> seem at
> > first, consider setting up an e-mail server with the usual raft of
> > anti-spam measures...
> > http://www.itworldcanada.com/news/e-mail-and-ipv6-what-it-
> > to-know/143080
> > Oh yeah, we tend to look up those client addresses a fair bit to
> > determine the client's reputation... When will all that work well
> > under IPv6?
> > In any case, I'm hoping to spend part of my summer at work reading up
> > on IPv6, and starting a few LAN-based experiments. No word yet on
> > when the UofM will have its router infrastructure IPv6-ready, though.
> > Maybe Adam and I can compare notes in the fall, and see if either of
> > us is ready to present something on the topic.
> > Gilbert
> > On 2011-05-11 20:02, Adam Thompson wrote:
> >> Unfortunately, no-one is willing to be the bad guy in that story...
> >> Not
> even a *country* can really pull it off.
> >> Think about how many non-IPv6-capable devices there are out there:
> virtually every single home router, printer, modem, camera, etc.
> >> Now as soon as a flag day is declared, the self-entitled of the world
> will rise up and say to their government, "who's going to pay for my new
> equipment?" Never mind that we've all known this day would come for
> over 10 years...
> >> On the other hand, I might turn out to be the first who actually has
> >> to
> manage a dual-stack network... and be willing to talk about it, anyway.
> Assuming I'm not on powerful drugs as a result of doing so! Holy ****
> does it get complicated!
> >> -Adam
> >> Trevor Cordes<trevor at tecnopolis.ca> wrote:
> >>> On 2011-05-11 Sean Cody wrote:
> >>>> Anyone have an interest or are is implementing ipv6 anywhere?
> >>>> An intro to ipv6 would be a great presentation topic so if you can
> >>>> share your experience, please do!
> >>> Seconded. But don't look at me.
> >>> Does anyone know when home ISP's like Shaw will start to offer IPv6
> >>> to home users? I don't think v6 will go anywhere until the ISP's
> >>> with their massive IP pools start switching end users to it.
> >>> Correct?
> >>> All of this 6-to-4 stuff seems stupid and overly complex. I would
> >>> like to just see a day picked where 4 is shutoff and only 6 can be
> >>> We'll all be !@$#%ing our pants for a few days/weeks but then it'll
> >>> be done.
> > --
> > Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
> > Manitoba UNIX User Group Web: http://www.muug.mb.ca/
> > PO Box 130 St-Boniface Phone: (204)474-8161
> > Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
> > _______________________________________________
> > Roundtable mailing list
> > Roundtable at muug.mb.ca
> > http://www.muug.mb.ca/mailman/listinfo/roundtable
> Roundtable mailing list
> Roundtable at muug.mb.ca
More information about the Roundtable