IPv6 & DNS: DNSv6 G6 Tutorial 1 Overview How important is the DNS? DNS Extensions for IPv6 DNS Resource Lookup Recursive Name Servers Information Discovery DNS Service Continuity through IP Networks Operational Requirements, Recommendations & Issues About IPv6 AAAA glue Records in DNS Zones IPv6-capable DNS Software G6 Tutorial 2 How important is the DNS? Need for Name Resolution (Lookup) – Name resolution needed prior to a TCP/IP communication – With Internet exponential growth, it became: • impossible to memorize millions of IP addresses; • impossible to maintain them in a centralized flat file (aka ‘/etc/hosts’) 2 Approaches to the DNS : RFC 1034 / RFC 1035 – A Database: Stores different types of Resource Records (RR): • Mainly IP address(es) but other types (NS, MX, PTR, …) – A TCP/IP Protocol and a Client/server Application: • IPv4 and IPv6; UDP & TCP; port 53 • Query (for a RR) lookup in the DNS database Response Data returned to DNS clients SHOULD NOT depend on the underlying IP version G6 Tutorial 3 DNS Extensions for IPv6 Support RFC 3596 (DS) Forward lookup (‘Name IPv6 Address’): A new Resource Record (RR) : ‘AAAA’ The ‘AAAA’ RR is for IPv6 what the ‘A’ RR ‘is for IPv4 Example: www.afnic.fr. IN A 192.134.4.20 IN AAAA 2001:660:3003:2::4:20 Reverse lookup (‘IPv6 Address Name’): PTR RR (pointer) applied to the new reverse tree: ip6.arpa A dedicated tree with nibble (4 bits) boundaries ip6.arpa tree is for IPv6 what the in-addr.arpa tree is for IPv4 Example: $ORIGIN 1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa. 1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0 PTR ns3.nic.fr. G6 Tutorial 4 DNS AAAA Lookup root “.” Query Manually ‘www.afnic.fr’ AAAA? “.” configured name server root-servers list Refer to fr NS + glue Query ‘www.afnic.fr’ AAAA? fr name server Refer to afnic.fr NS fr name de com server Query ? ‘www.afnic.fr’ AAAA? A afnic.fr A A AAAA for name server A asso ’ y afnic inria r www.afnic.fr : r f . e 2001:660:3003:2::4:20 c u i n Q f a . Response: www.afnic.fr has IPv6 @ 2001:660:3003:2::4:20 w w w ‘ resolver g6 G6 Tutorial 5 Lookups in an IPv6-aware DNS Tree IP Address Name Name IP Address . arpa int com net fr in-addr ip6 ip6 itu apnic ripe nic 192 193 e.f.f.3 6.0.1.0.0.2 whois www ns3 0 ... 134 ... 255 0.6 0 4 192.134.0.49 6.0.0.3 ns3.nic.fr 49 2001:660:3006:1::1:1 192.134.0.49 49.0.134.192.in-addr.arpa. 1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 ns3.nic.fr 2001:660:3006:1::1:1 1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa G6 Tutorial 6 Recursive Name Servers Information Discovery A Stub Resolver needs a Recursive Name Server address to which it sends name resolution queries In the IPv4 world, this DNS information is: Either configured manually in the stub resolver (e.g. /etc/resolv.conf for Unix stations) Or discovered via DHCPv4 In the IPv6 world: RFC4339 (IPv6 Host Configuration of DNS Server Information Approaches) Via stateful DHCPv6 (RFC 3315) Via stateless DHCPv6 (RFC 3736, “DHCPv6-light”) best preferred RA-based: http://www.ietf.org/internet-drafts/draft-jeong-dnsop-ipv6-dns-discovery-08.txt (not so popular towards an experimental RFC) Well-known address (anycast or unicast) Manual configuration as for IPv4 If IPv4 is supported, than run a DHCPv4 client G6 Tutorial 7 DNS Service Continuity through IP Networks 13 IPv4-only Root Name Servers IPv6-only Query [a-m].root-servers.net Network ‘foo.g6.asso.fr’ RR? Manually IPv6-only root “.” configured “ ” root file Cache name server . Name Server ? R R ’ r f Reply: . y o r TIMEOUT e s u s a Q . fr de com 6 g . resolver o o f ‘ G6 Tutorial 8 DNS Service Continuity through IP Networks (2) root “ ” Query . ‘foo.ipv6.example.com’ “.” IPv4-only RR? name server Network Refer to com NS + glue Manually Query configured ‘foo.ipv6.example.com’ RR? com root file IPv4-only name server Cache Refer to example.com NS [+ glue] com fr org Name ’ Query m Server ‘foo.ipv6.example.com’ RR? o example.com c . e example dotcom l Refer to ipv6.example.com NS + v6-only glue name server p y m r ? a e Query ‘foo.ipv6.example.com’ RR? R x u R e Reply: Q . 6 TIMEOUT v ipv6.example.com ipv6 p i . IPv6-only name server o o f ‘ resolver foo G6 Tutorial 9 DNSv6 Operational Requirements, Recommendations & Issues RFC 3901: “DNS IPv6 Transport Operational Guidelines ” To guarantee DNS service continuity across a mixture of IPv4/v6 networks: • Every Recursive Name Server SHOULD be either IPv4-only or dual stack: Use dual-stack forwarders (DNS ALG) if necessary • Every DNS zone SHOULD be served by at least one IPv4-reachable Authoritative Name Server Avoid IPv6-only servers Bear in mind During the long IPv4-IPv6 transition period: some systems will stay IPv4-only, others will be/become dual-stack & others will be IPv6-only RFC4472 “Operational Considerations and Issues with IPv6”, among others: • Misbehavior of some DNS servers and Load-balancers • Handling special (e.g. limited-scope) IPv6-addresses (published vs reachable) • Service name vs Node name • IPv6 and Dynamic DNS Update (RFC 2136) G6 Tutorial 10 IPv6 Glue in DNS Zones When the DNS zone is delegated to a DNS server (among others) contained in the zone itself Example: In zone file fr @ IN SOA oldnsmaster.nic.fr. hostmaster.nic.fr. ( 2005020800 ;serial 3600 ;refresh 1800 ;retry 3600000 ;expire 5400 ;negative ttl IN NS a.nic.fr. IN NS b.nic.fr. […] renata.fr. IN NS paris.amen.fr. IN NS ns2.amen.fr. renater IN NS ns1.renater.fr. IN NS calypso.urec.cnrs.fr. ns1.renater.fr. IN A 193.49.159.2 IN AAAA 2001:660:3001:4002::2 […] IPv4 glue (A 193.49.159.2 ) is required to reach ns1 over IPv4 transport IPv6 glue (AAAA 2001:660:3001:4002::2) is required to reach ns1 over IPv6 transport G6 Tutorial 11 IPv6 support by Root and TLD Servers 13 root servers « around » the world (10 in the US): – [A-M].root-servers.net – In fact, more than 13: due to anycast deployment Some root-servers are reachable on IPv6 transport – But their IPv6 address is NOT published in the root zone – E.g.: B, F, H, K, M, … Cf. http://www.root-servers.org/ Why IPv6 transport is not yet officially supported by the root servers? – Technical reasons: UDP response size limit (512 bytes) – Other reasons? … AAAA Glue records already present in the root zone for TLD delegation – Who puts them? • ICANN/IANA – When started? • 21 July 2004 with: FR, JP & KR • Today: more than 30 TLDs – How to proceed for a TLD? • http://www.iana.org/procedures/delegation-data.html G6 Tutorial 12 DNS IPv6-capable software BIND (Resolver & Server) http://www.isc.org/products/BIND/ BIND 8.2.4 (or later) BIND 9 On Unix distributions Resolver Library (+ (adapted) BIND) NSD (authoritative server only) http://www.nlnetlabs.nl/nsd/ Microsoft Windows (Resolver & Server) … G6 Tutorial 13 APIs getaddrinfo() for forward lookup – hostname addresses – Replacement for gethostbyname() – With AF_UNSPEC, applications become protocol- independent getnameinfo() for reverse lookup – address hostname – Replacement for gethostbyaddr() G6 Tutorial 14 References DNSv6-related RFCs & Internet-Drafts – RFC 3596 : “DNS Extensions to Support IP Version 6” – RFC 3901: “DNS IPv6 Transport Operational Guidelines” – RFC 4472: “Operational Considerations and Issues with IPv6” – “DNS Response size issues” (A. Kato & P. Vixie, work in progress) draft-ietf-dnsop-respsize-03.txt Other technical documents – Adding IPv6 Glue To The Rootzone ( R. van der Pol & D. Karrenberg) http://www.nlnetlabs.nl/ipv6/publications/v6rootglue.pdf – “DNS Response Size and Name Compression” (M. Souissi, AFNIC) http://w6.nic.fr/dnsv6/resp-size.html Books – DNS and BIND, 5th edition (Paul Albitz & Cricket Liu) G6 Tutorial 15.