[RndTbl] IPv6

Adam Thompson athompso at athompso.net
Thu May 12 21:10:22 CDT 2011


On topic, one of the biggest problems with dual-stack co-existence is a 
"you can't get there from here" problem that causes intermittent (and 
sometimes permanent) DNS failures.

A fairly typical case:  a domain (example.com) which is delegated to an 
IPv4-only nameserver  (ns1.example.com).
(Assume one nameserver for simplicity of explanation; always use at least 
two in the real world.)
A subdomain (ad.example.com) which is delegated to a dual-stack nameserver 
(Windows Server 2008 R2, for example, and let's call it 
dc.ad.example.com).
A IPv6-capable client (e.g. any Windows Vista or Windows 7 or Mac OS X or 
most Linuxes) attempting to resolve host.ad.example.com will recurse to 
ns1.example.com, which will provide the referral along with the IPv4 glue 
records for dc.ad.example.com (remember, ns1.example.com is NOT 
dual-stack).
A fairly typical client resolver will then do some sanity checking, and 
obtain more details from dc.ad.example.com before sending the ultimate A 
query for host.ad.example.com.  At this point, dc.ad.example.com reports 
*its own* IPv6 address to the IPv6-enabled client, even though they're 
still speaking IPv4.

Can anyone guess what happens next?

One of two scenarios, non-deterministically (AFAIK):
1. The resolver client suddenly decides to talk IPv6 to the authoritative 
nameserver "dc.ad.example.com", since it now knows its AAAA record, and 
IPv6 is obviously a better protocol, right?, fails to contact the 
nameserver over IPv6 and decides said nameserver is dead, and returns an 
ENOTFOUND or something similar to the requesting application.
2. The resolver client maintains its temporary cache of the nameserver's 
IPv4 address, and successfully obtains both A and AAAA records (again, 
this is typical for a gethostbyname() call) for the ultimate destination 
of host.ad.example.com.  Then the application attempts to open a socket... 
which the OS happily attempts to do using IPv6.

This all works great as long as there is IPv6 connectivity between the 
client resolver, the authoritative nameserver, AND the destination host. 
If there isn't, then you've just blackholed your subdomain, just by 
turning on IPv6.  Surprise!

I'm told this is a very common problem in the IPv6 early-adopter world, 
and there is no solution for it yet.  One partial solution is to use 
static IPv6 addresses in the 4to6-transition style (where the IPv4 address 
is embedded in the last 4 bytes of the IPv6 address), apparently many 
client IP stacks treat those semi-magically.  I don't understand the 
details of that yet, but IMHO that kind of invalidates the whole point of 
turning on IPv6 in the first place...

-Adam


> -----Original Message-----
> From: roundtable-bounces at muug.mb.ca [mailto:roundtable-
> bounces at muug.mb.ca] On Behalf Of Sean Cody
> Sent: Thursday, May 12, 2011 16:38
> To: Continuation of Round Table discussion
> Subject: Re: [RndTbl] IPv6
>
> Almost on cue... O'Reilly's ebook deal today is "DNS and Bind on IPv6."
>
> --
> Sean (mobile)
>
> On 2011-05-12, at 11:37 AM, "Gilbert E. Detillieux"
> <gedetil at cs.umanitoba.ca> wrote:
>
> > As an example of how things can be more complicated than might
> seem at
> > first, consider setting up an e-mail server with the usual raft of
> > anti-spam measures...
> >
> > http://www.itworldcanada.com/news/e-mail-and-ipv6-what-it-
> admins-need-
> > to-know/143080
> >
> > Oh yeah, we tend to look up those client addresses a fair bit to
> > determine the client's reputation...  When will all that work well
> > under IPv6?
> >
> > In any case, I'm hoping to spend part of my summer at work reading up
> > on IPv6, and starting a few LAN-based experiments.  No word yet on
> > when the UofM will have its router infrastructure IPv6-ready, though.
> >
> > Maybe Adam and I can compare notes in the fall, and see if either of
> > us is ready to present something on the topic.
> >
> > Gilbert
> >
> > On 2011-05-11 20:02, Adam Thompson wrote:
> >> Unfortunately, no-one is willing to be the bad guy in that story... 
> >> Not
> even a *country* can really pull it off.
> >> Think about how many non-IPv6-capable devices there are out there:
> virtually every single home router, printer, modem, camera, etc.
> >> Now as soon as a flag day is declared, the self-entitled of the world
> will rise up and say to their government, "who's going to pay for my new
> equipment?"  Never mind that we've all known this day would come for
> over 10 years...
> >>
> >> On the other hand, I might turn out to be the first who actually has 
> >> to
> manage a dual-stack network... and be willing to talk about it, anyway.
> Assuming I'm not on powerful drugs as a result of doing so!  Holy ****
> does it get complicated!
> >> -Adam
> >>
> >>
> >> Trevor Cordes<trevor at tecnopolis.ca>  wrote:
> >>
> >>> On 2011-05-11 Sean Cody wrote:
> >>>> Anyone have an interest or are is implementing ipv6 anywhere?
> >>>>
> >>>> An intro to ipv6 would be a great presentation topic so if you can
> >>>> share your experience, please do!
> >>>
> >>> Seconded.  But don't look at me.
> >>>
> >>> Does anyone know when home ISP's like Shaw will start to offer IPv6
> >>> to home users?  I don't think v6 will go anywhere until the ISP's
> >>> with their massive IP pools start switching end users to it. 
> >>> Correct?
> >>>
> >>> All of this 6-to-4 stuff seems stupid and overly complex.  I would
> >>> like to just see a day picked where 4 is shutoff and only 6 can be
> used.
> >>> We'll all be !@$#%ing our pants for a few days/weeks but then it'll
> >>> be done.
> >
> > --
> > Gilbert E. Detillieux        E-mail: <gedetil at muug.mb.ca>
> > Manitoba UNIX User Group    Web:    http://www.muug.mb.ca/
> > PO Box 130 St-Boniface        Phone:  (204)474-8161
> > Winnipeg MB CANADA  R2H 3B4    Fax:    (204)474-7609
> > _______________________________________________
> > Roundtable mailing list
> > Roundtable at muug.mb.ca
> > http://www.muug.mb.ca/mailman/listinfo/roundtable
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable





More information about the Roundtable mailing list