[arin-ppml] IPv6 in the Economist

[Leo Bicknell]

In a message written on Fri, Jun 06, 2008 at 10:25:45AM -0400, Dean Anderson wrote:
> and IPv6.  One has to remove IPv4 NS records to make room for IPv6
> records, so any effort to deploy IPv6 comes at the expense of IPv4
> stability. While bad enough, that isn't the worst part.

I've seen one person confused by Dean's statement already, so I
will attempt to clarify.  Technically this is an extremely complex
issue that has no place on the ARIN PPML list, so I will offer only
the high level overview here.  There are other more appropriate
places for DNS information, and I would appreciate if you have
questions that they be taken off list.

DNS attempts to fit responses into a single UDP packet that will
not need to be fragmented back to the sender.  In IPv4 that requires
the packet to fit in a 576 byte packet, the minimum end to end
guaranteed MTU.  Note that for IPv6 this limit has been raised to
1280 bytes.

Doing the math you find that 13 NS records can be packed into a 512
byte response.  This is why there are 13 root servers, and why some
other domains have 13 name servers.  That's not to say it's a hard
limit, you could have more and do round robin or other tricks; but
it often becomes a useful limit to know.

Since there were 13 root servers, that is a full packet, a decision
had to be made as to what to do when IPv6 addresses were added.
Different name server software behaves slightly differently; basically
you can prefer to fill the packet as much as possible, or you can
prefer IPv4 over IPv6, or you can prefer IPv6 over IPv4.  At the
end of this message are some sample queries if you want to go and
look for yourself.

Note: only 6 root servers have IPv6 addresses today, eventually that
will likely be all 13.

The results:
  Before: 13 root servers
  After, Behavior #1: 10/13 IPv4 root addresses (at random) 
                      plus 4/6 IPv6 root addresses (at random)
  After, Behavior #2: 13/13 IPv4 root addresses, 2/6 IPv6 root
                      addresses (at random)

If you look at behavior #1, I believe that is the inspiration for
Dean's statement, quoted above.  [Only a guess.]

One solution is a client could re-query using TCP.  Some clients may
do that.

Fortunately DNS has also moved on.  RFC 2671 specifies EDNS0, an
extension to DNS to allow for larger packets.  This was later
required in RFC 3226 for all DNSSEC and A6 aware servers and
resolvers.  RFC 2874 may also be of interest.

So, as a practical result IPv6 (transport) implementations have a
1280 byte packet guaranteed, and support EDNS0 to allow larger
queries.  This allows the entire set (in the case of the roots) to
be returned in a single packet.  See also the queries at the end
of this message.

So, as with all things the devil is in the details.  The effect on
DNS stability has been heavily discussed in the IETF and at the
IANA level (in the case of the roots), and both of those venues are
far more appropriate places than PPML for those discussions.  Popular
positions include (but are not limited to):

* This hurts stability, IPv4 addresses are removed.
* This helps stability, IPv4 and IPv6 transport now reach the roots.
* It's a transition problem.
* All clients should support EDNS0 which makes the problem moot.
* Clients can fall back to TCP just fine.
* Fall back to TCP doesn't work, usually because of anycast.

YMMV.  Some assembly required.  Batteries not included.  Many details
omitted as this is not a technical DNS forum.  Please take this
discussion elsewhere.

% dig -4 NS . @a.root-servers.net

; <<>> DiG 9.5.0-P1 <<>> -4 NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3008
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.
.			518400	IN	NS	H.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.	3600000	IN	A	198.41.0.4
A.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.	3600000	IN	A	192.228.79.201
C.ROOT-SERVERS.NET.	3600000	IN	A	192.33.4.12
D.ROOT-SERVERS.NET.	3600000	IN	A	128.8.10.90
E.ROOT-SERVERS.NET.	3600000	IN	A	192.203.230.10
F.ROOT-SERVERS.NET.	3600000	IN	A	192.5.5.241
F.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:2f::f
G.ROOT-SERVERS.NET.	3600000	IN	A	192.112.36.4
H.ROOT-SERVERS.NET.	3600000	IN	A	128.63.2.53
H.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:1::803f:235
I.ROOT-SERVERS.NET.	3600000	IN	A	192.36.148.17
J.ROOT-SERVERS.NET.	3600000	IN	A	192.58.128.30
J.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:503:c27::2:30

;; Query time: 78 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Jun  6 16:17:58 2008
;; MSG SIZE  rcvd: 500

% dig -4 NS . @b.root-servers.net

; <<>> DiG 9.5.0-P1 <<>> -4 NS . @b.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15468
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.
.			518400	IN	NS	H.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
C.ROOT-SERVERS.NET.	3600000	IN	A	192.33.4.12
D.ROOT-SERVERS.NET.	3600000	IN	A	128.8.10.90
E.ROOT-SERVERS.NET.	3600000	IN	A	192.203.230.10
F.ROOT-SERVERS.NET.	3600000	IN	A	192.5.5.241
G.ROOT-SERVERS.NET.	3600000	IN	A	192.112.36.4
H.ROOT-SERVERS.NET.	3600000	IN	A	128.63.2.53
I.ROOT-SERVERS.NET.	3600000	IN	A	192.36.148.17
J.ROOT-SERVERS.NET.	3600000	IN	A	192.58.128.30
K.ROOT-SERVERS.NET.	3600000	IN	A	193.0.14.129
L.ROOT-SERVERS.NET.	3600000	IN	A	199.7.83.42
M.ROOT-SERVERS.NET.	3600000	IN	A	202.12.27.33
A.ROOT-SERVERS.NET.	3600000	IN	A	198.41.0.4
B.ROOT-SERVERS.NET.	3600000	IN	A	192.228.79.201
F.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:2f::f
H.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:1::803f:235

;; Query time: 12 msec
;; SERVER: 192.228.79.201#53(192.228.79.201)
;; WHEN: Fri Jun  6 16:22:05 2008
;; MSG SIZE  rcvd: 492

Using IPv6 w/EDNS0:

 dig -6 +bufsize=1024 NS . @a.root-servers.net

; <<>> DiG 9.5.0-P1 <<>> -6 +bufsize=1024 NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33651
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			518400	IN	NS	H.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.	3600000	IN	A	198.41.0.4
A.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.	3600000	IN	A	192.228.79.201
C.ROOT-SERVERS.NET.	3600000	IN	A	192.33.4.12
D.ROOT-SERVERS.NET.	3600000	IN	A	128.8.10.90
E.ROOT-SERVERS.NET.	3600000	IN	A	192.203.230.10
F.ROOT-SERVERS.NET.	3600000	IN	A	192.5.5.241
F.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:2f::f
G.ROOT-SERVERS.NET.	3600000	IN	A	192.112.36.4
H.ROOT-SERVERS.NET.	3600000	IN	A	128.63.2.53
H.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:500:1::803f:235
I.ROOT-SERVERS.NET.	3600000	IN	A	192.36.148.17
J.ROOT-SERVERS.NET.	3600000	IN	A	192.58.128.30
J.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:503:c27::2:30
K.ROOT-SERVERS.NET.	3600000	IN	A	193.0.14.129
K.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:7fd::1
L.ROOT-SERVERS.NET.	3600000	IN	A	199.7.83.42
M.ROOT-SERVERS.NET.	3600000	IN	A	202.12.27.33
M.ROOT-SERVERS.NET.	3600000	IN	AAAA	2001:dc3::35

;; Query time: 80 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Fri Jun  6 16:43:20 2008
;; MSG SIZE  rcvd: 615

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080606/33c22da7/attachment.sig>