• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

IPv6 Glue

Started by tdensmore, October 01, 2012, 10:53:20 AM

Previous topic - Next topic

tdensmore

I'm either doing something terribly wrong, or very few domains out there have IPv6 TLD glue.  I'm going through the list of "website operators" that are listed on worldipv6launch.org site, and all I get back from the tld servers for any that I've looked at is v4.  Using how I'm looking at goole.com as an example - first I do a dig +trace to grab the first listed TLD entry for that dig as well as a list of google name servers, and then:

Quote

# dig aaaa ns1.google.com @h.gtld-servers.net

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.2 <<>> aaaa ns1.google.com @h.gtld-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33064
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;ns1.google.com.                        IN      AAAA

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172800  IN      A       216.239.34.10
ns1.google.com.         172800  IN      A       216.239.32.10
ns3.google.com.         172800  IN      A       216.239.36.10
ns4.google.com.         172800  IN      A       216.239.38.10

;; Query time: 146 msec
;; SERVER: 192.54.112.30#53(192.54.112.30)
;; WHEN: Mon Oct  1 11:50:52 2012
;; MSG SIZE  rcvd: 164



No v6 glue, correct?  Am I doing this wrong?

tdensmore

Well, perhaps google was a stupid choice there since ns1.google.com doesn't have an AAAA record at all apparently, so to get a AAAA back for google.com at all, I'm having to ask an IPv4 address.  But this is the kind of thing I'm running in to frequently.  Sites that have listed themselves, or have been listed as "v6" are actually only minimally v6.

Maybe a better question would be, can anyone provide an example of a popular domain that's fully v6?

broquea

he.net? only 1 NS doesn't have glue, the rest do, so site would world with v6-only connectivity.

kasperd

#3
Quote from: tdensmore on October 01, 2012, 10:53:20 AMNo v6 glue, correct?  Am I doing this wrong?
You are right. That is one area where Google isn't supporting dual stack yet. But they are making progress. At some point (I think one year ago), I had a much longer list of what IPv6 support Google was lacking. I think what you are pointing out is the last major area left on that list.

  • Google public DNS did not have an IPv6 address
  • Google public DNS could not contact IPv6 only authoritative DNS servers
  • Google's own authoritative DNS servers are IPv4 only
  • Gmail could not send email over IPv6
  • The MX records for Gmail were IPv4 only
  • The IPv6 support that did exist was only for the selected few
They have made a lot of progress. That list is now down to just the one item you mention. They still have work to do on reliability. A couple of weeks ago they had a multi hour outage on IPv6 across all of Europe.

tdensmore

Quote from: broquea on October 01, 2012, 11:10:28 AM
he.net? only 1 NS doesn't have glue, the rest do, so site would world with v6-only connectivity.

As much as I like he.net, I'm really looking for something facebook or google levels of popular to use as an example.

This is partially because last week, rather than help us with adding aaaa glue for our NSes, netsol tier 1 tech support decided they'd "help" us by moving our NS pointers to their own name servers.  You can imagine how painful this was for an ISP.  Since that disaster, I've been looking around and seeing that very, very few domains appear to have TLD glue, and have been leaning heavily towards simply skipping that step in our initial v6 rollout.

kasperd

Quote from: tdensmore on October 01, 2012, 11:27:00 AMAs much as I like he.net, I'm really looking for something facebook or google levels of popular to use as an example.
There might not be any site as popular. Those two companies have the three most popular websites according to Alexa.

I took a look on the sites participating in the World IPv6 Launch ordered by Alexa rank and checked if they could be looked up over IPv6. Facebook, Google, Yahoo, and Wikimedia all fail by not having authoritative DNS servers on IPv6.

Next on the list is bing. And bing.com can actually be looked up over IPv6. But it doesn't have any AAAA record only an A record. So they fail as well. But what about www.bing.com, that is supposed to be dual stack. It can be resolved over IPv6, but it is a CNAME pointing to an Akamai domain. That Akamai domain does have an AAAA record, but the DNS server is IPv4 only.

As I proceed down the list I find the found the first domain to both have an AAAA record and be resolvable over IPv6 was flipkart.com with Alexa rank 278.

Quote from: tdensmore on October 01, 2012, 11:27:00 AMSince that disaster, I've been looking around and seeing that very, very few domains appear to have TLD glue, and have been leaning heavily towards simply skipping that step in our initial v6 rollout.
If we can get all recursive resolvers to be dual stack, then it will work just fine even if some authoritative DNS servers are IPv4 only. But there are users who run a recursive resolver at home for improved performance, and those won't be able to get IPv4 addresses moving forward. So on the slightly longer term it is more realistic to get IPv6 support on all authoritative DNS servers than to get IPv4 support on all recursive resolvers. There are workarounds. Bind has a feature to forward queries to a dual stack resolver, if it cannot resolve the query on its own.

One advantage that you can get from doing the resolution over IPv6 is improved protection against DNS cache poisoning. If the recursive resolver is assigned a large pool of IPv6 addresses (possibly an entire /64 prefix), then there is more entropy in the query. The query ID and port number allow for a maximum of 32 bits of entropy. If you allocated a /64 prefix to the resolver, you could add another 64 bit on top of that.

tdensmore

LOL - well, those were possibly not the best examples then.  I guess popular enough that they've gained a reasonable amount of mindshare.  Seems like it might be more effort than it's worth to track one down, or even impossible at this point.

I suppose v6-only hosts are fairly scarce at this point in any event, which is good, since I only have 3 hosts with AAAAs at this point.  I have to admit that the more I look into setting up authoritative v6 DNS, the more daunting the task seems.  I'm obviously going to need to come up with some automation process, which is an whole 'nuther project in itself.