• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

DNS v6 support: Onus on the registrar?

Started by digibaseoperations, June 28, 2012, 03:01:51 PM

Previous topic - Next topic

digibaseoperations

All,

While domain registries often support v6 quite quickly and effectively, there is still often a blockade against v6 support: The Registrar.

Registrars often have front-end software that do not support implementing any sort of v6 addresses and customers aren't allowed to touch their actual entries in the TLD zone file, so often times the caveat is up to the domain registrar (not the registry) to support any sort of v6 glue.

One thing I have noticed that is a concern to me about the v6 certification programme is that the "Sage" level implies that the individual has enough push to get their registrar to support v6. In many cases, individual customers do not have enough domain names to make a pull-out or transfer meaningful to that registrar. Further, sometimes a transfer is not feasable financially considering they may be on a cheap registrar and migrating away would be a financial impact.

While individual customers can put in hundreds of tickets to their domain registrars, it is up to management (who may not understand or care about v6's importance) of those registrars to support v6, not the helpdesk or engineers. One case of such is I've been in contact with my organization's registrar (Canreg) and they have indicated that there really is no ETA to implement v6 in their front-end domain management software.

So while I operate a pure IPv6 DNS server that is accessable everywhere on the internet, glue cannot be applied to it because of something ultimately out of my control.

So the question arrises: How does one push a domain registrar who is a lot larger of a company/organization than you to support v6 without information on their other customers (as to get their PR deptartment's attention)?

broquea

#1
"Vote with your wallet", money is what they listen to. Rally enough people at a registrar to leave and try and make a difference. We saw it with SOPA last November and GoDaddy, even though someone could suspect that no matter what they publish for PR, behind the scenes they still support it.

If it is that your TLD doesn't support IPv6 glue, that is a whole different problem that isn't the registrar's fault.

kasperd

Sometimes you can get around such limitations by having the name of your authoritative DNS server under an entirely different TLD. Your DNS server doesn't need to have a nice looking name. There are plenty of possibilities to get a subdomain for free if you don't mind it having a few more levels of labels than your other names. For example there are multiple providers of dynamic DNS where you get a subdomain for free, you just need to find one with proper dual stack support.

snarked

In the past, I've changed registrars specifically over this issue - the old registrar not supporting IPv6 glue.  I'm now with a registrar which accepts IPv6 glue for EVERY TLD they support, even if IPv6 is not supported in the registry.  (For .NAME, the registry doesn't even have IPv6 addresses for its TLD servers!)

Every registrar should support IPv6 glue.  Those who don't are clueless.

digibaseoperations

Quote from: kasperd on June 28, 2012, 04:21:53 PM
Sometimes you can get around such limitations by having the name of your authoritative DNS server under an entirely different TLD. Your DNS server doesn't need to have a nice looking name. There are plenty of possibilities to get a subdomain for free if you don't mind it having a few more levels of labels than your other names. For example there are multiple providers of dynamic DNS where you get a subdomain for free, you just need to find one with proper dual stack support.

The problem here is it implies that the registry is the one that doesn't support the glue, but in my case (.ca) it does. It is the registrar that is being probitivie and blocking input of AAAA addresses (For glue) into the registry.

Further, utilization of dynamic DNS inserts another cog into the machine that has to be trusted. I would rather keep DNS operations exclusively between my organization's systems and the TLD servers, not bringing some blah.dyndns.org name into the equasion that could get compromised.

Quote from: snarked on June 29, 2012, 11:10:33 AM
In the past, I've changed registrars specifically over this issue - the old registrar not supporting IPv6 glue.  I'm now with a registrar which accepts IPv6 glue for EVERY TLD they support, even if IPv6 is not supported in the registry.  (For .NAME, the registry doesn't even have IPv6 addresses for its TLD servers!)

Every registrar should support IPv6 glue.  Those who don't are clueless.

Agreed, though the question arises: Is there a list of registrars for each registry somewhere and their v6 support? (similar to http://bgp.he.net/report/dns/ ) If not, such compilation would be interesting to see. I'll explain:

Considering it is the registrars who are the frontline to the TLDs and that registrants don't have direct access to the registry, that should be the gauge of IPv6 support to the registry — not just whether the registry accepts AAAA glue and has servers operational with v6 addresses (as that is trivial for the registry to deploy). This would also call on registries to possibly eventually "ditch" refusenik registrars who ignore or insist IPv6 isn't coming or are being extremely slow to deploy.

kasperd

Quote from: digibaseoperations on July 02, 2012, 10:29:32 PMThe problem here is it implies that the registry is the one that doesn't support the glue, but in my case (.ca) it does. It is the registrar that is being probitivie and blocking input of AAAA addresses (For glue) into the registry.
That just means the domain of the DNS server cannot be handled through that registrar. You could get a new domain name through another registrar. But such a solution would most likely be temporary, as you'd probably decide to transfer all your domains to the new registrar.

Quote from: digibaseoperations on July 02, 2012, 10:29:32 PMFurther, utilization of dynamic DNS inserts another cog into the machine that has to be trusted. I would rather keep DNS operations exclusively between my organization's systems and the TLD servers, not bringing some blah.dyndns.org name into the equasion that could get compromised.
You may need to make a compromise between price and security. Using a dyndns provider is just one of many possible options.

Do however notice that DNSSEC will still prevent forging of DNS records, even if the dynamic DNS provider is compromised. That reduces the possible impact of the attack from forging of DNS records to just a DoS attack. Unfortunately DNSSEC is not widely deployed, and I suspect it may not get much attention until usage of IPv4 starts declining.

Quote from: digibaseoperations on July 02, 2012, 10:29:32 PMIs there a list of registrars for each registry somewhere and their v6 support? (similar to http://bgp.he.net/report/dns/ ) If not, such compilation would be interesting to see.
I don't know about such a list. But if you have a particular registrar in mind, it should be fairly easy to find out. If they don't specify their level of support on their homepage, then write to them and ask.

tlechler

well, the lack of registrars to enable ipv6 capable records in their dns, among other uncommon stuff like TXT records made me setup my own DNS servers in 2009. Easy and efficient solution, no more forced TTLs of 2 or more hours, and you get all the custom that you want. And setting up a secure instance of powerdns is easier than people think.