IPv6 and DNS - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

IPv6 and DNS

Description:

it is proposed to augment the existing root servers with IPv6 capability in ... is it safe to recommend to RSSAC & ICANN to add IPv6 addresses to the root ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 16
Provided by: billma5
Category:
Tags: dns | icann | ipv6 | presuming

less

Transcript and Presenter's Notes

Title: IPv6 and DNS


1
IPv6 and DNS
  • why is the root not available over IPV6 transport
    and when will it be fixed?
  • bill manning - LACNIC-VIII

2
Before a Priming Query
  • it is proposed to augment the existing root
    servers with IPv6 capability in their transport
    and in their DNS server code. Once these
    capabilities are in place, it is expected to
    formally announce the availability of the root
    zone over both IP4 and IPv6 transport and using
    both A and AAAA resource records.
  • seven of the 13 root servers have IPv6 transport
    capability and all are running IPv6 capable code.
    so what's the problem?
  • Issues surrounding why there is no IPv6 native
    access to root nameservers YET.

3
DNS Resolution

Query girigiri.gbrmpa.gov.au
name server
Refer to au NS
IMR
A hints
Query girigiri.gbrmpa.gov.au
au name server
Refer to gov.au NS
au
nz
sg
Query girigiri.gbrmpa.gov.au
gov.au name server
gov
edu
Refer to gbrmpa.gov.au NS
Query girigiri.gbrmpa.gov.au
Query
Reply
gbrmpa.gov.au name server
Address of girigiri.gbrmpa.gov.au
sa
ips
gbrmpa
resolver
4
The Priming Query
  • The first question asked by an IMR to the root
    servers
  • Based on the beltsuspenders data - in the case
    of UNIX, the hints or root.cache file.
  • What is in this file anyway?
  • glue - a list of server names and the
    associated IP addresses. Today only IPv4

5
Root Hints
formerly NS.INTERNIC.NET .
3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-
SERVERS.NET. 3600000 A
198.41.0.4 formerly NS1.ISI.EDU .
3600000 NS
B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET.
3600000 A 192.228.79.201
6
What will happen when IPv6 data is added to this
file?
  • the problem lies not with the augmented root
    servers or the zone file, but with the systems
    that generate priming queries.

. 3600000 NS
Z.IP6.INT. Z.IP6.INT. 3600000 A
198.32.2.66 Z.IP6.INT. 3600000 AAAA
3ffe01c620242 . 3600000
NS Y.IP6.INT. Y.IP6.INT. 3600000
AAAA 3ffe50e1
7
The agony of choice
  • How does the IMR select which protocol to use
    first?
  • Some use IPv4 first, then IPv6, some use IPv6
    first, then IPv4.
  • How are mapped IPv4 addresses interpreted?
  • Does the IMR DNS software support IPv6?
  • with over 146 variants, its tough to tell.
  • Some audits indicate BIND is/remains the
    predominant version for authoritative servers
    What about the IMRs?

8
How many IMRs are there and what are they running?
  • IMRs are not listed in any configuration file.
  • Need to audit.
  • Query logs were taken from B, H, and J root
    servers.
  • logs were 4, 1, and 24 hours
  • Sort out the priming queries (about 3 of total
    traffic, but that is another talk)
  • Fingerprint the sorted servers to identify DNS
    variant.

9
IMR distribution
  • H - 243 IMRs, 14 variants, 123 running non-AAAA
    compliant
  • J - 65698 IMRs, 141 variants, 22300 running
    non-AAAA compliant
  • B - 21823 IMRs, 51 variants, 10556 running
    non-AAAA compliant
  • 32,979 servers of 87,764 or 32 of IMRs appear
    unable to properly process AAAA addresses

10
DNS Resolution

Query girigiri.gbrmpa.gov.au
name server
Refer to au NS
IMR
AAAA/A hints
Query girigiri.gbrmpa.gov.au
au name server
Refer to gov.au NS
au
nz
sg
Query girigiri.gbrmpa.gov.au
gov.au name server
gov
edu
Refer to gbrmpa.gov.au NS
Query girigiri.gbrmpa.gov.au
Query
Reply
gbrmpa.gov.au name server
Address of girigiri.gbrmpa.gov.au
sa
ips
gbrmpa
resolver
11
Known evolution for BIND
  • pre 9.2.0a1 -
  • bug 628 - If the root hints contained only AAAA
    addresses, named would be unable to perform
    resolution.
  • bug 799 - The ADB didn't find AAAA glue in a
    zone unless A6 glue was also present
  • pre 8.4.3 -
  • bug 1617 - don't pre-fetch missing additional
    address records if we have one of A/AAAA
  • bug 1613 - don't lookup A/AAAA records for
    nameservers if we don't support the address at
    the transport level

12
For these systems with old code..
  • Will an IMR re-prime if the first address it
    sees is a AAAA record?
  • Early testing indicates that for two tested
    versions of BIND, the answer is NO. These tested
    versions comprise 2.3 of the total tested IMR
    base
  • e.g. the nameserver STOPS and needs to be
    restarted (and hope that a AAAA record does not
    show up)

13
What we have not tested
  • IMR OS capabilities
  • Most DNS variants
  • Extensive searches for more comprehensive IMR
    lists

14
Questions?
  • Presuming the 32 is a valid number, is it safe
    to recommend to RSSAC ICANN to add IPv6
    addresses to the root servers and make this
    publicly available?
  • What is the IMR client base? A given IMR may be
    the only recursive view into the DNS for
    thousands of endsystems.
  • Other issues w/ old BIND (and by extrapoltation -
    other DNS code?) http//www.isc.org/sw/bind/bin
    d4.php
  • Upgrading - even in the face of known security
    lapses - is nearly impossible to force.
  • What do you think?
  • Carrot? - delay native IPv6 - maintain
    stability
  • Stick? - add native IPv6 - force software
    upgrades

15
Thank You
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IPv6 and DNS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!