The hard work of deploying DNSSEC is well underway: Registries are signing top-level zones, the Internet Systems Consortium and various vendors, including Infoblox, are simplifying the task of signing and managing a secure zone. Even though widespread adoption ofDNSSEC is some way off, its natural to wonder what’s next.
My bet is on IPv6.
Of course, IPv6 is tomorrow’s internet protocol and has been for years but I’ve heard more and more inquiries about IPv6 over the past few months. Reporters are writing articles about the rate of IPv6 adoption, coaching readers on how to prepare for the migration to IPv6; while customers are asking questions about IPv6-related features on our roadmap. And Geoff Huston’s estimate of the date ARIN will exhaust its allocation of IPv4 addresses now stands at June 4, 2011. That’s not far off.
Luckily, the deployment of IPv6 won’t require quite the overhaul of DNS that DNSSEC did. Here are some of the changes well see:
- There’s a new resource record type, AAAA (usually called a quad-A record). This is a simple IPv6 analog of the IPv4 A record. The only real difference (besides the new type mnemonic) is that theRDATA contains a set of as many as eight quartets of hexidecimal digits, like so:
ipv6host.foo.example. AAAA 1234:5678:90ab:cdef:1234:5678:90ab:cdef
- Reverse mapping gets very messy, because all of a sudden PTR records are attached to domain names like:
(Thats 34 labels, in case you don’t feel like counting.) Note also that the IPv6 reverse-mapping domain is ip6.arpa, not in-addr.arpa.
- More organizations will begin running name servers with IPv6 stacks. On the authoritative side, some of the root name servers currently respond to queries over IPv6, as do some of VeriSigns gTLD name servers (those authoritative for .com and.net). Fewer recursive nameservers support IPv6. That’ll likely change as organizations bring up IPv6-only clients that use technologies like NAT64 to communicate with IPv4 endpoints.
- And, of course, DNS will assume a new criticality, because IPv6 addresses are nearly impossible for mere humans to remember and difficult to even enter correctly.
As with DNSSEC, the introduction of IPv6 will heighten the need for good administrative tools and increased automation. Entering IPv6 addresses by hand is simply too time-consuming and error-prone not to mention stultifying boring. IP address management systems can alleviate some of this burden through network discovery, auto-completion and more.