IPv6 & DNS: DNSv6

lumpishtrickleΛογισμικό & κατασκευή λογ/κού

30 Ιουν 2012 (πριν από 5 χρόνια και 1 μήνα)

542 εμφανίσεις

G6 Tutorial
1
IPv6 & DNS: DNSv6
G6 Tutorial
2
Overview

How important is the DNS?

DNS Extensions for IPv6

DNS Resource Lookup

Recursive Name Servers Information Discovery

DNS Service Continuity through IP Networks

Operational Requirements, Recommendations & Issues

About IPv6 AAAA
glue
Records in DNS Zones

IPv6-capable DNS Software
G6 Tutorial
3
How important is the DNS?

Need for
Name Resolution (Lookup)

Name resolution
needed
prior to a TCP/IP communication

With Internet
exponential growth
, it became:

impossible to memorize
millions of IP addresses;

impossible

to maintain
them in
a centralized flat file
(
aka

/etc/hosts

)


2 Approaches
to the DNS :
RFC 1034
/
RFC 1035

A Database:
Stores different types of
Resource Records
(RR):

Mainly
IP address(
es
)
but
other types (NS, MX, PTR,

)

A TCP/IP Protocol and a Client/server Application:

IPv4 and IPv6; UDP & TCP; port 53

Query
(for a RR)


lookup
in the DNS
database



Response



Data returned to DNS clients SHOULD NOT depend on the underlying IP version
G6 Tutorial
4
DNS Extensions for IPv6 Support
RFC 3596

(DS)

Forward lookup
(

Name

IPv6 Address

):

A
new
Resource Record (RR) :

AAAA


The

AAAA


RR is for IPv6 what the

A


RR

is for IPv4

Example:
www.
afnic
.
fr
.
IN
A
192.134.4.20
IN
AAAA
2001:660:3003:2::4:20

Reverse lookup
(

IPv6 Address

Name

):

PTR

RR (pointer) applied to the
new
reverse tree:
ip6.
arpa

A dedicated tree with
nibble
(4 bits)
boundaries

ip6.
arpa

tree is
for IPv6 what the
in-addr
.
arpa

tree is for IPv4

Example:
$ORIGIN 1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.
arpa
.
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0
PTR
ns3.
nic
.
fr
.
G6 Tutorial
5
DNS AAAA Lookup

.

name server
fr
name server
afnic.
fr
name server
name
server
resolver
Response:
www.
afnic
.
fr
has IPv6 @
2001:660:3003:2::4:20

Refer to
fr

NS +
glue
Refer to
afnic
.
fr

NS
AAAA for
www.
afnic
.
fr
:
2001:660:3003:2::4:20
Manually
configured
root-servers list
Query

www.
afnic
.
fr


AAAA?
Query

www.
afnic
.
fr


AAAA?
Query

www.
afnic
.
fr


AAAA?
Query

www.
afnic
.
fr


AAAA?
g6

.

fr
de
com
afnic
inria
root
asso
G6 Tutorial
6
fr
net
arpa
ripe
whois
ip6
0.6
6.0.0.3
com
apnic
nic
ns3
www
ns3.nic.fr

1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.6.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa
e.f.f.3
Name

IP
Address
IP Address

Name
.
ns3.nic.fr
int
2001:660:3006:1::1:1
in-addr
192
134
0
49
0
255
...
192.134.0.49
193

49.0.134.192.in-addr.arpa
.
192.134.0.49
itu
ip6
...
4
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0
2001:660:3006:1::1:1
6.0.1.0.0.2
Lookups in an IPv6-aware DNS Tree
G6 Tutorial
7
Recursive Name Servers Information Discovery

A
Stub
Resolver

needs a
Recursive Name Server

address
to which it sends
name
resolution
queries

In the IPv4 world, this DNS information is:

Either configured
manually
in the
stub
resolver

(e.g.
/etc/resolv
.conf
for Unix stations
)

Or discovered via
DHCPv4

In the IPv6 world:
RFC4339

(
IPv6 Host Configuration of DNS Server Information
Approaches
)

Via
stateful
DHCPv6 (
RFC 3315
)

Via stateless DHCPv6 (
RFC 3736
,

DHCPv6-light

)

best preferred

RA-based:

http://www.
ietf
.org/internet-drafts/draft-jeong-dnsop-ipv6-dns-discovery-08.txt

(not so popular


towards an experimental RFC)

Well-known address (
anycast
or
unicast
)

Manual configuration as for IPv4

If IPv4 is supported, than run a DHCPv4 client
G6 Tutorial
8

.

name server
IPv6-only
Cache
Name
Server
resolver
Reply:
TIMEOUT

.

fr
de
com
Manually
configured
root file
Query

foo.g6.asso.fr

RR?
Query

foo.g6.asso.fr

RR?
root
DNS Service Continuity through IP Networks
13 IPv4-only
Root Name Servers
[a-
m].root-servers.net
IPv6-only
Network
G6 Tutorial
9

.

name server
com
name server
example.com
name server
ipv6.example.com
IPv6-only
name server
IPv4-only
Cache
Name
Server
resolver
Reply:
TIMEOUT

.

com
fr
org
example
dotcom
ipv6
Refer to
com
NS +
glue
Refer to
example.com
NS [+
glue
]
Refer to
ipv6.example.com

NS +
v6-only
glue
Query

foo.ipv6.example.com

RR?
Manually
configured
root file
Query

foo.i
pv6.example.com

RR?
Query

foo.i
pv6.example.com

RR?
Query

foo.i
pv6.example.com

RR?
Query

foo.i
pv6.example.com

RR?
root
foo
IPv4-only
Network
DNS Service Continuity through IP Networks (2)
G6 Tutorial
10
DNSv6 Operational
Requirements, Recommendations & Issues

RFC 3901
:

DNS IPv6 Transport
Operational
Guidelines



To guarantee DNS service continuity across a mixture of IPv4/v6 networks:

Every Recursive Name Server SHOULD be either IPv4-only or dual stack:

Use dual-stack forwarders (DNS ALG) if necessary

Every DNS
zone SHOULD be served by at least one IPv4-reachable Authoritative
Name Server

Avoid IPv6-only servers

Bear in mind

During the long IPv4-IPv6 transition period: s
ome systems will stay
IPv4-only, others will be/become dual-stack & others will be IPv6-only

RFC4472


Operational Considerations and Issues with IPv6

, among others:

Misbehavior
of some DNS servers and Load-balancers

Handling special (e.g. limited-scope) IPv6-addresses (published
vs

reachable)

Service name
vs

Node name

IPv6 and Dynamic DNS Update (RFC 2136)
G6 Tutorial
11
IPv6 Glue in DNS Zones

When the DNS zone is delegated to a DNS server (among others) contained in the zone itself

Example: In zone file
fr
@
IN
SOA

oldnsmaster
.
nic
.
fr
.
hostmaster
.
nic
.
fr
.

(
2005020800
;serial
3600
;refresh
1800
;retry
3600000
;expire
5400
;negative
ttl
IN
NS
a.
nic
.
fr
.
IN
NS
b.
nic
.
fr
.
[

]
renata
.
fr
.
IN
NS
paris
.amen.
fr
.
IN
NS
ns2.amen.
fr
.
renater
IN
NS
ns1.
renater
.
fr
.
IN
NS
calypso.
urec
.
cnrs
.
fr
.
ns1.
renater
.
fr
.

IN
A
193.49.159.2
IN
AAAA
2001:660:3001:4002::2
[

]

IPv4 glue
(
A 193.49.159.2
)
is required
to reach
ns1
over
IPv4 transport

IPv6 glue
(
AAAA 2001:660:3001:4002::2)

is required
to reach
ns1
over
IPv6 transport
G6 Tutorial
12
IPv6 support by
Root and
TLD
Servers

13 root servers «

around
»
the world (10 in the US):

[A-M]
.root-servers.net

In fact, more than 13: due to
anycast

deployment

Some root-servers are reachable on IPv6 transport

But their IPv6 address is NOT published in the root zone

E.g.: B, F, H, K, M,


Cf
.
http://www.root-servers.org/

Why IPv6 transport is not yet officially supported by the root servers?

Technical

reasons: UDP response size limit (512 bytes)

Other reasons?


AAAA Glue records already present in the root zone for TLD delegation

Who puts them?

ICANN/IANA

When started?

21 July 2004 with: FR, JP & KR

Today: more than 30
TLDs

How to proceed for a TLD?

http://www.
iana
.org/procedures/delegation-data.html
G6 Tutorial
13
DNS IPv6-capable software

BIND (
Resolver
& Server)

http://www.
isc
.org/products/BIND/

BIND 8.2.4 (or later)

BIND 9

On Unix distributions

Resolver
Library (+ (adapted) BIND)

NSD (authoritative server only)

http://www.
nlnetlabs
.
nl/nsd/

Microsoft Windows (
Resolver
& Server)


G6 Tutorial
14
APIs

getaddrinfo
()
for
forward
lookup


hostname



addresses

Replacement for
gethostbyname
()

With
AF_UNSPEC
, applications become protocol-
independent

getnameinfo
()
for
reverse
lookup


address



hostname

Replacement for
gethostbyaddr
()
G6 Tutorial
15
References

DNSv6-related
RFCs
& Internet-Drafts

RFC 3596
:

DNS Extensions to Support IP Version 6


RFC 3901
:

DNS IPv6 Transport
Operational
Guidelines


RFC 4472:


Operational Considerations and Issues with IPv6



DNS Response size issues

(A. Kato & P.
Vixie
, work in progress)

draft-ietf-dnsop-respsize-03
.txt

Other technical documents

Adding IPv6 Glue To The
Rootzone
( R. van
der Pol
& D.
Karrenberg
)
http://www.
nlnetlabs
.nl/ipv6/publications/v6rootglue.
pdf


DNS Response Size and Name Compression

(M. Souissi, AFNIC)

http://w6.
nic
.fr/dnsv6/resp-size.html

Books

DNS and BIND, 5th edition (Paul
Albitz
& Cricket Liu)