With the imminent exhaustion of IPv4 address space and the U.S. governments renewed push to implement IPv6, the protocol has been getting more press lately. The government’s mandate requires Federal government agencies to implement IPv6 on external-facing resources by early next year. That got me to thinking about what that means to DNS.
Clearly, the mandate assuming I read it correctly, which may not be such a good assumption would require Federal government agencies to setup name servers with IPv6 addresses (and the corresponding AAAA records), either by adding IPv6 addresses to existing name servers or by setting up wholly new IPv6 name servers.
Of course, many enterprises and ISPs don’t yet run recursive name servers that have IPv6 addresses, so the governments shiny new IPv6 addresses will largely be ignored. In order to take advantage of those IPv6-speaking authoritative nameservers, recursive name servers will need IPv6 addresses of their own.
An interesting wrinkle will emerge once we see our first zones served only by IPv6 name servers: Recursive name servers that speak only IPv4 won’t be able to resolve domain names in these zones without some help. This help comes in the form of BINDs dual-stack-servers substatement. A dual-stack server is a sort of forwarder for a monolingual (okay, mono-protocol) nameserver. But instead of forwarding queries for domain names in zones whose authoritative name servers it can’t reach, it forwards queries to the dual-stack server for domain names in zones served only by name servers that speak a protocol the recursor doesn’t. The feature works both ways: A IPv6-only recursor can use a dual-stack server to resolve domain names served only by IPv4 authoritative name servers, too.
Finally, there are inevitable pitfalls in the migration to IPv6. Some stub resolvers, for example, will send queries for AAAA records despite not having connectivity to the global IPv6 Internet. Newer versions of BIND offer a feature to address this, too: filter-aaaa-on-v4, which tells the nameserver not to include AAAA records in replies to queries it receives over IPv4. Unfortunately, this isn’t a perfect solution, since a recursor sending IPv4 queries to a name server with filter-aaaa-on-v4 set may relay the answer to a stub resolver that does, in fact, have IPv6 connectivity.
And there are probably more nuances to accommodating IPv6 networks with DNS that we haven’t stumbled across yet. But if the government mandate has its intended effect, well surely know more later this year.
