dns ipv 6
TRANSCRIPT
-
8/3/2019 dns IPV 6
1/8
1
DITCHE, Port Elizabeth, Sep. 2005
IPv6 support in the DNS
DITCHE, Port Elizabeth, Sep. 2005
How important is the DNS?
Getting the IP address of the remote endpoint is necessary for everycommunication between TCP/IP applications
Humans are unable to memorize millions of IP addresses (specially IPv6addresses)
To a larger extent: the Domain Name System (DNS) provides applicationswith several types of resources (domain name servers, mail exchangers,
reverse lookups, ) they need
DNS design hierarchy
distribution
redundancy
simplicity
-
8/3/2019 dns IPV 6
2/8
2
DITCHE, Port Elizabeth, Sep. 2005
frname server
asso.fr
name server
g6.asso.frname server
nameserver
resolver
Reply
fr de com
asso inria
abg afnic g6
Refer to frNS + glue
Refer to asso.frNS [+glue]
Refer to g6.asso.frNS [+ glue]
Query foo.g6.asso.fr RR?
RR for
foo.g6.asso.fr
Query
foo.g
6.asso.frRR
?
Query
foo.g6.asso.fr RR?
Query
foo.g6.asso.fr RR?
Query
foo.g6.asso.fr RR?
name server
root
DNS Resource Lookup
DITCHE, Port Elizabeth, Sep. 2005
DNS Extensions for IPv6
RFC 1886 RFC 3596 (upon successful interoperability tests)
AAAA: forward lookup (Name IPv6 Address):Equivalent to A record
Example:
ns3.nic.fr. IN A 192.134.0.49
IN AAAA 2001:660:3006:1::1:1
PTR : reverse lookup (IPv6 Address Name):Reverse tree equivalent to in-addr.arpa
New tree: ip6.arpa (under deployment)Former tree: ip6.int (deprecated)
Example:
$ORIGIN 1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa.
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0 PTR ns3.nic.fr.
-
8/3/2019 dns IPV 6
3/8
3
DITCHE, Port Elizabeth, Sep. 2005
The Two Approaches to the DNS
The DNS seen as a distributed Database Stores different types of Resource Records (RR): SOA, NS, A,
AAAA, MX, SRV, PTR,
DNS data is independent of the IP version (v4/v6) theDNS server is running on!
The DNS seen as a TCP/IP application
The service is accessible in either transport modes (UDP/TCP)and over either IP versions (v4/v6)
Information given over both IP versions MUST BECONSISTENT!
DITCHE, Port Elizabeth, Sep. 2005
frnetarpa
ripe
whois
ip6
0.6
6.0.0.3
com
apnic nic
ns3www
ns3.nic.fr
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa
e.f.f.3
Name IP AddressIP Address Name
ns3.nic.fr
int
2001:660:3006:1::1:1
in-addr
192
134
0
49
0 255...
192.134.0.49
193
49.0.134.192.in-addr.arpa.
192.134.0.49
ituip6
...
4
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0
2001:660:3006:1::1:1
6.0.1.0.0.2
Lookups in an IPv6-aware DNS Tree
-
8/3/2019 dns IPV 6
4/8
4
DITCHE, Port Elizabeth, Sep. 2005
name server
IPv6-only
Cache
Name
Server
resolver
Reply:TIMEOUT
fr de com
Manually
configured
root file
Query
foo.g
6.asso.frRR?
Query
foo.g6.asso.fr RR?
root
DNS Service Continuity through IP
Networks13 IPv4-only
Root Name Servers
[a-m].root-servers.netIPv6-only
Network
DITCHE, Port Elizabeth, Sep. 2005
name server
comname server
example.comname server
ipv6.example.comIPv6-only name server
IPv4-only
Cache
Name
Server
resolver
Reply:
TIMEOUT
com fr org
example dotcom
ipv6
Refer to com NS + glue
Refer to example.com NS [+ glue]
Refer to ipv6.example.comNS + v6-onlyglue
Query foo.ipv6.example.com RR?
Manually
configured
root file
Query
foo.ipv6.example.com
RR?
Query
foo.ipv6.example.com
RR?
Queryfoo.ipv6.example.com RR?
Queryfoo.ipv6.example.com RR?
root
foo
IPv4-onlyNetwork
DNS Service Continuity through IP
Networks (2)
-
8/3/2019 dns IPV 6
5/8
5
DITCHE, Port Elizabeth, Sep. 2005
About Required IPv6 Glue in DNSZones
When the DNS zone is delegated to a DNS server (among others) contained in the zone itself
Example: In zone file rennes.enst-bretagne.fr@ IN SOA rsm.rennes.enst-bretagne.fr. fradin.rennes.enst-bretagne.fr.
(2005040201 ;serial
86400 ;refresh3600 ;retry3600000 ; expir e}
IN NS rsm
IN NS univers.enst-bretagne.fr.
[]
ipv6 IN NS rhadamanthe.ipv6
IN NS ns3.nic.fr.
IN NS rsm
;rhadamanthe.ipv6 IN A 192.108.119.134
IN AAAA 2001:660:7301:1::1
[]
IPv4 glue (A 192.108.119.134 ) is required to reach rhadamanthe over IPv4 transport
IPv6 glue (AAAA 2001:660:73001:1::1) is required to reach rhadamanthe over IPv6 transport
DITCHE, Port Elizabeth, Sep. 2005
IPv6 Support for the Root Servers
Why not? No room available for an extra root server IP(v4/v6) address
DNS response size limit is 512 bytes unless EDNS.0 is used
IPv6 infrastructure is not mature yet for the operation of the rootservers -- not a valid argument!
Homework done first
RS.NET Testbed: http://www.rs.net/ Test and prove that new technologies (IPv6, DNSsec, IDN) are
harmless
Several TLDs participate in the testbed (FR, JP, SE, )
Who can put AAAA Glue Records in the Root Zone? IANA/ICANN
-
8/3/2019 dns IPV 6
6/8
6
DITCHE, Port Elizabeth, Sep. 2005
IPv6 DNS and root servers
DNS root servers are critical resources!
13 roots around the world (#10 in the US) Need for (mirror) root servers to be installed in other locations (EU,
Asia, Africa, )
New technique : anycast DNS server
To build a clone from the master/primary server
Containing the same information (files)
Using the same IP address
Such anycast servers have already begun to be installed : F root server : Ottawa, Paris (Renater), Hongkong, Lisbon (FCCN),
Dubai,
K root : London, Amsterdam,
Look at http://www.root-servers.org for the complete and updated list.
DITCHE, Port Elizabeth, Sep. 2005
DNS Discovery
A Stub Resolver needs a Recursive Name Serveraddress for name resolution and a Search Path
In IPv4 world, the DNS parameters are: Either configured manually in the stub resolver (e.g.
/etc/resolv.conf)
Or discovered via DHCPv4
In IPv6 world: Proposals for DNS Discovery:
Under discussion IETF ipv6/dnsop WGs
Stateless Discovery: RA-Based vs Stateful Discovery: DHCPv6(-light)
Well-known address (anycast or unicast): seems to be out of date
-
8/3/2019 dns IPV 6
7/8
7
DITCHE, Port Elizabeth, Sep. 2005
DNSv6 Operational Requirements &Recommendations
The target today IS NOT the transition from an IPv4-only to an IPv6-onlyenvironment
It IS RATHER EASY to get from an IPv4-only to a mixed v4/v6 environmentwhere:
Some systems will remain IPv4-only
Some systems will be dual-stacked
Some systems will be IPv6-only
How to get there? Start by testing DNSv6 on a small network and get your own conclusion that
DNSv6 is harmless, but remember:
The server (host) must support IPv6
And DNS server software must support IPv6 Deploy DNSv6 in an incremental fashion on existing networks
DO NOT BREAK something that works fine (production IPv4 DNS)!
DITCHE, Port Elizabeth, Sep. 2005
DNSv6 Operational Requirements &
Recommendations #2
How to get there? (cont.) For new large IPv6-only networks: enable IPv6-only
resolvers to query the DNS for IPv4-only resources by(for example):
Letting them query dual-stack forwarders
Using some DNS ALG
Bear in mind Any DNS zone SHOULD be served by at least one
IPv4 name server
All DNS zones (including root, yes, yes!) SHOULD bereachable over IPv4 and IPv6
-
8/3/2019 dns IPV 6
8/8
8
DITCHE, Port Elizabeth, Sep. 2005
DNS IPv6-capable software
BIND (Resolver & Server)
http://www.isc.org/products/BIND/
BIND 9 (avoid older versions)
On Unix distributions
Resolver Library (+ (adapted) BIND)
NSD (authoritative server only)
http://www.nlnetlabs.nl/nsd/
Microsoft Windows (Resolver & Server)
...