| blob | 915c104aa161f10781a7ca6e4cf0343f2fd7dda1 |
7 Network Working Group M. Crawford
8 Request for Comments: 2874 Fermilab
9 Category: Standards Track C. Huitema
10 Microsoft Corporation
11 July 2000
14 DNS Extensions to Support IPv6 Address Aggregation and Renumbering
16 Status of this Memo
18 This document specifies an Internet standards track protocol for the
19 Internet community, and requests discussion and suggestions for
20 improvements. Please refer to the current edition of the "Internet
21 Official Protocol Standards" (STD 1) for the standardization state
22 and status of this protocol. Distribution of this memo is unlimited.
24 Copyright Notice
26 Copyright (C) The Internet Society (2000). All Rights Reserved.
28 Abstract
30 This document defines changes to the Domain Name System to support
31 renumberable and aggregatable IPv6 addressing. The changes include a
32 new resource record type to store an IPv6 address in a manner which
33 expedites network renumbering and updated definitions of existing
34 query types that return Internet addresses as part of additional
35 section processing.
37 For lookups keyed on IPv6 addresses (often called reverse lookups),
38 this document defines a new zone structure which allows a zone to be
39 used without modification for parallel copies of an address space (as
40 for a multihomed provider or site) and across network renumbering
41 events.
58 Crawford, et al. Standards Track [Page 1]
59 \f
60 RFC 2874 IPv6 DNS July 2000
63 Table of Contents
65 1. Introduction ............................................... 2
66 2. Overview ................................................... 3
67 2.1. Name-to-Address Lookup ............................... 4
68 2.2. Underlying Mechanisms for Reverse Lookups ............ 4
69 2.2.1. Delegation on Arbitrary Boundaries ............. 4
70 2.2.2. Reusable Zones ................................. 5
71 3. Specifications ............................................. 5
72 3.1. The A6 Record Type ................................... 5
73 3.1.1. Format ......................................... 6
74 3.1.2. Processing ..................................... 6
75 3.1.3. Textual Representation ......................... 7
76 3.1.4. Name Resolution Procedure ...................... 7
77 3.2. Zone Structure for Reverse Lookups ................... 7
78 4. Modifications to Existing Query Types ...................... 8
79 5. Usage Illustrations ........................................ 8
80 5.1. A6 Record Chains ..................................... 9
81 5.1.1. Authoritative Data ............................. 9
82 5.1.2. Glue ........................................... 10
83 5.1.3. Variations ..................................... 12
84 5.2. Reverse Mapping Zones ................................ 13
85 5.2.1. The TLA level .................................. 13
86 5.2.2. The ISP level .................................. 13
87 5.2.3. The Site Level ................................. 13
88 5.3. Lookups .............................................. 14
89 5.4. Operational Note ..................................... 15
90 6. Transition from RFC 1886 and Deployment Notes .............. 15
91 6.1. Transition from AAAA and Coexistence with A Records .. 16
92 6.2. Transition from Nibble Labels to Binary Labels ....... 17
93 7. Security Considerations .................................... 17
94 8. IANA Considerations ........................................ 17
95 9. Acknowledgments ............................................ 18
96 10. References ................................................ 18
97 11. Authors' Addresses ........................................ 19
98 12. Full Copyright Statement .................................. 20
100 1. Introduction
102 Maintenance of address information in the DNS is one of several
103 obstacles which have prevented site and provider renumbering from
104 being feasible in IP version 4. Arguments about the importance of
105 network renumbering for the preservation of a stable routing system
106 and for other purposes may be read in [RENUM1, RENUM2, RENUM3]. To
107 support the storage of IPv6 addresses without impeding renumbering we
108 define the following extensions.
114 Crawford, et al. Standards Track [Page 2]
115 \f
116 RFC 2874 IPv6 DNS July 2000
119 o A new resource record type, "A6", is defined to map a domain name
120 to an IPv6 address, with a provision for indirection for leading
121 "prefix" bits.
123 o Existing queries that perform additional section processing to
124 locate IPv4 addresses are redefined to do that processing for both
125 IPv4 and IPv6 addresses.
127 o A new domain, IP6.ARPA, is defined to support lookups based on
128 IPv6 address.
130 o A new prefix-delegation method is defined, relying on new DNS
131 features [BITLBL, DNAME].
133 The changes are designed to be compatible with existing application
134 programming interfaces. The existing support for IPv4 addresses is
135 retained. Transition issues related to the coexistence of both IPv4
136 and IPv6 addresses in DNS are discussed in [TRANS].
138 This memo proposes a replacement for the specification in RFC 1886
139 [AAAA] and a departure from current implementation practices. The
140 changes are designed to facilitate network renumbering and
141 multihoming. Domains employing the A6 record for IPv6 addresses can
142 insert automatically-generated AAAA records in zone files to ease
143 transition. It is expected that after a reasonable period, RFC 1886
144 will become Historic.
146 The next three major sections of this document are an overview of the
147 facilities defined or employed by this specification, the
148 specification itself, and examples of use.
150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152 document are to be interpreted as described in [KWORD]. The key word
153 "SUGGESTED" signifies a strength between MAY and SHOULD: it is
154 believed that compliance with the suggestion has tangible benefits in
155 most instances.
157 2. Overview
159 This section provides an overview of the DNS facilities for storage
160 of IPv6 addresses and for lookups based on IPv6 address, including
161 those defined here and elsewhere.
170 Crawford, et al. Standards Track [Page 3]
171 \f
172 RFC 2874 IPv6 DNS July 2000
175 2.1. Name-to-Address Lookup
177 IPv6 addresses are stored in one or more A6 resource records. A
178 single A6 record may include a complete IPv6 address, or a contiguous
179 portion of an address and information leading to one or more
180 prefixes. Prefix information comprises a prefix length and a DNS
181 name which is in turn the owner of one or more A6 records defining
182 the prefix or prefixes which are needed to form one or more complete
183 IPv6 addresses. When the prefix length is zero, no DNS name is
184 present and all the leading bits of the address are significant.
185 There may be multiple levels of indirection and the existence of
186 multiple A6 records at any level multiplies the number of IPv6
187 addresses which are formed.
189 An application looking up an IPv6 address will generally cause the
190 DNS resolver to access several A6 records, and multiple IPv6
191 addresses may be returned even if the queried name was the owner of
192 only one A6 record. The authenticity of the returned address(es)
193 cannot be directly verified by DNS Security [DNSSEC]. The A6 records
194 which contributed to the address(es) may of course be verified if
195 signed.
197 Implementers are reminded of the necessity to limit the amount of
198 work a resolver will perform in response to a client request. This
199 principle MUST be extended to also limit the generation of DNS
200 requests in response to one name-to-address (or address-to-name)
201 lookup request.
203 2.2. Underlying Mechanisms for Reverse Lookups
205 This section describes the new DNS features which this document
206 exploits. This section is an overview, not a specification of those
207 features. The reader is directed to the referenced documents for
208 more details on each.
210 2.2.1. Delegation on Arbitrary Boundaries
212 This new scheme for reverse lookups relies on a new type of DNS label
213 called the "bit-string label" [BITLBL]. This label compactly
214 represents an arbitrary string of bits which is treated as a
215 hierarchical sequence of one-bit domain labels. Resource records can
216 thereby be stored at arbitrary bit-boundaries.
218 Examples in section 5 will employ the following textual
219 representation for bit-string labels, which is a subset of the syntax
220 defined in [BITLBL]. A base indicator "x" for hexadecimal and a
221 sequence of hexadecimal digits is enclosed between "\[" and "]". The
222 bits denoted by the digits represent a sequence of one-bit domain
226 Crawford, et al. Standards Track [Page 4]
227 \f
228 RFC 2874 IPv6 DNS July 2000
231 labels ordered from most to least significant. (This is the opposite
232 of the order they would appear if listed one bit at a time, but it
233 appears to be a convenient notation.) The digit string may be
234 followed by a slash ("/") and a decimal count. If omitted, the
235 implicit count is equal to four times the number of hexadecimal
236 digits.
238 Consecutive bit-string labels are equivalent (up to the limit imposed
239 by the size of the bit count field) to a single bit-string label
240 containing all the bits of the consecutive labels in the proper
241 order. As an example, either of the following domain names could be
242 used in a QCLASS=IN, QTYPE=PTR query to find the name of the node
243 with IPv6 address 3ffe:7c0:40:9:a00:20ff:fe81:2b32.
245 \[x3FFE07C0004000090A0020FFFE812B32/128].IP6.ARPA.
247 \[x0A0020FFFE812B32/64].\[x0009/16].\[x3FFE07C00040/48].IP6.ARPA.
249 2.2.2. Reusable Zones
251 DNS address space delegation is implemented not by zone cuts and NS
252 records, but by a new analogue to the CNAME record, called the DNAME
253 resource record [DNAME]. The DNAME record provides alternate naming
254 to an entire subtree of the domain name space, rather than to a
255 single node. It causes some suffix of a queried name to be
256 substituted with a name from the DNAME record's RDATA.
258 For example, a resolver or server providing recursion, while looking
259 up a QNAME a.b.c.d.e.f may encounter a DNAME record
261 d.e.f. DNAME w.xy.
263 which will cause it to look for a.b.c.w.xy.
265 3. Specifications
267 3.1. The A6 Record Type
269 The A6 record type is specific to the IN (Internet) class and has
270 type number 38 (decimal).
282 Crawford, et al. Standards Track [Page 5]
283 \f
284 RFC 2874 IPv6 DNS July 2000
287 3.1.1. Format
289 The RDATA portion of the A6 record contains two or three fields.
291 +-----------+------------------+-------------------+
292 |Prefix len.| Address suffix | Prefix name |
293 | (1 octet) | (0..16 octets) | (0..255 octets) |
294 +-----------+------------------+-------------------+
296 o A prefix length, encoded as an eight-bit unsigned integer with
297 value between 0 and 128 inclusive.
299 o An IPv6 address suffix, encoded in network order (high-order octet
300 first). There MUST be exactly enough octets in this field to
301 contain a number of bits equal to 128 minus prefix length, with 0
302 to 7 leading pad bits to make this field an integral number of
303 octets. Pad bits, if present, MUST be set to zero when loading a
304 zone file and ignored (other than for SIG [DNSSEC] verification)
305 on reception.
307 o The name of the prefix, encoded as a domain name. By the rules of
308 [DNSIS], this name MUST NOT be compressed.
310 The domain name component SHALL NOT be present if the prefix length
311 is zero. The address suffix component SHALL NOT be present if the
312 prefix length is 128.
314 It is SUGGESTED that an A6 record intended for use as a prefix for
315 other A6 records have all the insignificant trailing bits in its
316 address suffix field set to zero.
318 3.1.2. Processing
320 A query with QTYPE=A6 causes type A6 and type NS additional section
321 processing for the prefix names, if any, in the RDATA field of the A6
322 records in the answer section. This processing SHOULD be recursively
323 applied to the prefix names of A6 records included as additional
324 data. When space in the reply packet is a limit, inclusion of
325 additional A6 records takes priority over NS records.
327 It is an error for an A6 record with prefix length L1 > 0 to refer to
328 a domain name which owns an A6 record with a prefix length L2 > L1.
329 If such a situation is encountered by a resolver, the A6 record with
330 the offending (larger) prefix length MUST be ignored. Robustness
331 precludes signaling an error if addresses can still be formed from
332 valid A6 records, but it is SUGGESTED that zone maintainers from time
333 to time check all the A6 records their zones reference.
338 Crawford, et al. Standards Track [Page 6]
339 \f
340 RFC 2874 IPv6 DNS July 2000
343 3.1.3. Textual Representation
345 The textual representation of the RDATA portion of the A6 resource
346 record in a zone file comprises two or three fields separated by
347 whitespace.
349 o A prefix length, represented as a decimal number between 0 and 128
350 inclusive,
352 o the textual representation of an IPv6 address as defined in
353 [AARCH] (although some leading and/or trailing bits may not be
354 significant),
356 o a domain name, if the prefix length is not zero.
358 The domain name MUST be absent if the prefix length is zero. The
359 IPv6 address MAY be be absent if the prefix length is 128. A number
360 of leading address bits equal to the prefix length SHOULD be zero,
361 either implicitly (through the :: notation) or explicitly, as
362 specified in section 3.1.1.
364 3.1.4. Name Resolution Procedure
366 To obtain the IPv6 address or addresses which belong to a given name,
367 a DNS client MUST obtain one or more complete chains of A6 records,
368 each chain beginning with a record owned by the given name and
369 including a record owned by the prefix name in that record, and so on
370 recursively, ending with an A6 record with a prefix length of zero.
371 One IPv6 address is formed from one such chain by taking the value of
372 each bit position from the earliest A6 record in the chain which
373 validly covers that position, as indicated by the prefix length. The
374 set of all IPv6 addresses for the given name comprises the addresses
375 formed from all complete chains of A6 records beginning at that name,
376 discarding records which have invalid prefix lengths as defined in
377 section 3.1.2.
379 If some A6 queries fail and others succeed, a client might obtain a
380 non-empty but incomplete set of IPv6 addresses for a host. In many
381 situations this may be acceptable. The completeness of a set of A6
382 records may always be determined by inspection.
384 3.2. Zone Structure for Reverse Lookups
386 Very little of the new scheme's data actually appears under IP6.ARPA;
387 only the first level of delegation needs to be under that domain.
388 More levels of delegation could be placed under IP6.ARPA if some
389 top-level delegations were done via NS records instead of DNAME
390 records, but this would incur some cost in renumbering ease at the
394 Crawford, et al. Standards Track [Page 7]
395 \f
396 RFC 2874 IPv6 DNS July 2000
399 level of TLAs [AGGR]. Therefore, it is declared here that all
400 address space delegations SHOULD be done by the DNAME mechanism
401 rather than NS.
403 In addition, since uniformity in deployment will simplify maintenance
404 of address delegations, it is SUGGESTED that address and prefix
405 information be stored immediately below a DNS label "IP6". Stated
406 another way, conformance with this suggestion would mean that "IP6"
407 is the first label in the RDATA field of DNAME records which support
408 IPv6 reverse lookups.
410 When any "reserved" or "must be zero" bits are adjacent to a
411 delegation boundary, the higher-level entity MUST retain those bits
412 in its own control and delegate only the bits over which the lower-
413 level entity has authority.
415 To find the name of a node given its IPv6 address, a DNS client MUST
416 perform a query with QCLASS=IN, QTYPE=PTR on the name formed from the
417 128 bit address as one or more bit-string labels [BITLBL], followed
418 by the two standard labels "IP6.ARPA". If recursive service was not
419 obtained from a server and the desired PTR record was not returned,
420 the resolver MUST handle returned DNAME records as specified in
421 [DNAME], and NS records as specified in [DNSCF], and iterate.
423 4. Modifications to Existing Query Types
425 All existing query types that perform type A additional section
426 processing, i.e. the name server (NS), mail exchange (MX), and
427 mailbox (MB) query types, and the experimental AFS data base (AFSDB)
428 and route through (RT) types, must be redefined to perform type A, A6
429 and AAAA additional section processing, with type A having the
430 highest priority for inclusion and type AAAA the lowest. This
431 redefinition means that a name server may add any relevant IPv4 and
432 IPv6 address information available locally to the additional section
433 of a response when processing any one of the above queries. The
434 recursive inclusion of A6 records referenced by A6 records already
435 included in the additional section is OPTIONAL.
437 5. Usage Illustrations
439 This section provides examples of use of the mechanisms defined in
440 the previous section. All addresses and domains mentioned here are
441 intended to be fictitious and for illustrative purposes only.
442 Example delegations will be on 4-bit boundaries solely for
443 readability; this specification is indifferent to bit alignment.
445 Use of the IPv6 aggregatable address format [AGGR] is assumed in the
446 examples.
450 Crawford, et al. Standards Track [Page 8]
451 \f
452 RFC 2874 IPv6 DNS July 2000
455 5.1. A6 Record Chains
457 Let's take the example of a site X that is multi-homed to two
458 "intermediate" providers A and B. The provider A is itself multi-
459 homed to two "transit" providers, C and D. The provider B gets its
460 transit service from a single provider, E. For simplicity suppose
461 that C, D and E all belong to the same top-level aggregate (TLA) with
462 identifier (including format prefix) '2345', and the TLA authority at
463 ALPHA-TLA.ORG assigns to C, D and E respectively the next level
464 aggregate (NLA) prefixes 2345:00C0::/28, 2345:00D0::/28 and
465 2345:000E::/32.
467 C assigns the NLA prefix 2345:00C1:CA00::/40 to A, D assigns the
468 prefix 2345:00D2:DA00::/40 to A and E assigns 2345:000E:EB00::/40 to
469 B.
471 A assigns to X the subscriber identification '11' and B assigns the
472 subscriber identification '22'. As a result, the site X inherits
473 three address prefixes:
475 o 2345:00C1:CA11::/48 from A, for routes through C.
476 o 2345:00D2:DA11::/48 from A, for routes through D.
477 o 2345:000E:EB22::/48 from B, for routes through E.
479 Let us suppose that N is a node in the site X, that it is assigned to
480 subnet number 1 in this site, and that it uses the interface
481 identifier '1234:5678:9ABC:DEF0'. In our configuration, this node
482 will have three addresses:
484 o 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0
485 o 2345:00D2:DA11:0001:1234:5678:9ABC:DEF0
486 o 2345:000E:EB22:0001:1234:5678:9ABC:DEF0
488 5.1.1. Authoritative Data
490 We will assume that the site X is represented in the DNS by the
491 domain name X.EXAMPLE, while A, B, C, D and E are represented by
492 A.NET, B.NET, C.NET, D.NET and E.NET. In each of these domains, we
493 assume a subdomain "IP6" that will hold the corresponding prefixes.
494 The node N is identified by the domain name N.X.EXAMPLE. The
495 following records would then appear in X's DNS.
497 $ORIGIN X.EXAMPLE.
498 N A6 64 ::1234:5678:9ABC:DEF0 SUBNET-1.IP6
499 SUBNET-1.IP6 A6 48 0:0:0:1:: IP6
500 IP6 A6 48 0::0 SUBSCRIBER-X.IP6.A.NET.
501 IP6 A6 48 0::0 SUBSCRIBER-X.IP6.B.NET.
506 Crawford, et al. Standards Track [Page 9]
507 \f
508 RFC 2874 IPv6 DNS July 2000
511 And elsewhere there would appear
513 SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.C.NET.
514 SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.D.NET.
516 SUBSCRIBER-X.IP6.B.NET. A6 40 0:0:0022:: B-NET.IP6.E.NET.
518 A.NET.IP6.C.NET. A6 28 0:0001:CA00:: C.NET.ALPHA-TLA.ORG.
520 A.NET.IP6.D.NET. A6 28 0:0002:DA00:: D.NET.ALPHA-TLA.ORG.
522 B-NET.IP6.E.NET. A6 32 0:0:EB00:: E.NET.ALPHA-TLA.ORG.
524 C.NET.ALPHA-TLA.ORG. A6 0 2345:00C0::
525 D.NET.ALPHA-TLA.ORG. A6 0 2345:00D0::
526 E.NET.ALPHA-TLA.ORG. A6 0 2345:000E::
528 5.1.2. Glue
530 When, as is common, some or all DNS servers for X.EXAMPLE are within
531 the X.EXAMPLE zone itself, the top-level zone EXAMPLE must carry
532 enough "glue" information to enable DNS clients to reach those
533 nameservers. This is true in IPv6 just as in IPv4. However, the A6
534 record affords the DNS administrator some choices. The glue could be
535 any of
537 o a minimal set of A6 records duplicated from the X.EXAMPLE zone,
539 o a (possibly smaller) set of records which collapse the structure
540 of that minimal set,
542 o or a set of A6 records with prefix length zero, giving the entire
543 global addresses of the servers.
545 The trade-off is ease of maintenance against robustness. The best
546 and worst of both may be had together by implementing either the
547 first or second option together with the third. To illustrate the
548 glue options, suppose that X.EXAMPLE is served by two nameservers
549 NS1.X.EXAMPLE and NS2.X.EXAMPLE, having interface identifiers
550 ::1:11:111:1111 and ::2:22:222:2222 on subnets 1 and 2 respectively.
551 Then the top-level zone EXAMPLE would include one (or more) of the
552 following sets of A6 records as glue.
562 Crawford, et al. Standards Track [Page 10]
563 \f
564 RFC 2874 IPv6 DNS July 2000
567 $ORIGIN EXAMPLE. ; first option
568 X NS NS1.X
569 NS NS2.X
570 NS1.X A6 64 ::1:11:111:1111 SUBNET-1.IP6.X
571 NS2.X A6 64 ::2:22:222:2222 SUBNET-2.IP6.X
572 SUBNET-1.IP6.X A6 48 0:0:0:1:: IP6.X
573 SUBNET-2.IP6.X A6 48 0:0:0:2:: IP6.X
574 IP6.X A6 48 0::0 SUBSCRIBER-X.IP6.A.NET.
575 IP6.X A6 48 0::0 SUBSCRIBER-X.IP6.B.NET.
578 $ORIGIN EXAMPLE. ; second option
579 X NS NS1.X
580 NS NS2.X
581 NS1.X A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.A.NET.
582 A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.B.NET.
583 NS2.X A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.A.NET.
584 A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.B.NET.
587 $ORIGIN EXAMPLE. ; third option
588 X NS NS1.X
589 NS NS2.X
590 NS1.X A6 0 2345:00C1:CA11:1:1:11:111:1111
591 A6 0 2345:00D2:DA11:1:1:11:111:1111
592 A6 0 2345:000E:EB22:1:1:11:111:1111
593 NS2.X A6 0 2345:00C1:CA11:2:2:22:222:2222
594 A6 0 2345:00D2:DA11:2:2:22:222:2222
595 A6 0 2345:000E:EB22:2:2:22:222:2222
597 The first and second glue options are robust against renumbering of
598 X.EXAMPLE's prefixes by providers A.NET and B.NET, but will fail if
599 those providers' own DNS is unreachable. The glue records of the
600 third option are robust against DNS failures elsewhere than the zones
601 EXAMPLE and X.EXAMPLE themselves, but must be updated when X's
602 address space is renumbered.
604 If the EXAMPLE zone includes redundant glue, for instance the union
605 of the A6 records of the first and third options, then under normal
606 circumstances duplicate IPv6 addresses will be derived by DNS
607 clients. But if provider DNS fails, addresses will still be obtained
608 from the zero-prefix-length records, while if the EXAMPLE zone lags
609 behind a renumbering of X.EXAMPLE, half of the addresses obtained by
610 DNS clients will still be up-to-date.
612 The zero-prefix-length glue records can of course be automatically
613 generated and/or checked in practice.
618 Crawford, et al. Standards Track [Page 11]
619 \f
620 RFC 2874 IPv6 DNS July 2000
623 5.1.3. Variations
625 Several more-or-less arbitrary assumptions are reflected in the above
626 structure. All of the following choices could have been made
627 differently, according to someone's notion of convenience or an
628 agreement between two parties.
630 First, that site X has chosen to put subnet information in a
631 separate A6 record rather than incorporate it into each node's A6
632 records.
634 Second, that site X is referred to as "SUBSCRIBER-X" by both of
635 its providers A and B.
637 Third, that site X chose to indirect its provider information
638 through A6 records at IP6.X.EXAMPLE containing no significant
639 bits. An alternative would have been to replicate each subnet
640 record for each provider.
642 Fourth, B and E used a slightly different prefix naming convention
643 between themselves than did A, C and D. Each hierarchical pair of
644 network entities must arrange this naming between themselves.
646 Fifth, that the upward prefix referral chain topped out at ALPHA-
647 TLA.ORG. There could have been another level which assigned the
648 TLA values and holds A6 records containing those bits.
650 Finally, the above structure reflects an assumption that address
651 fields assigned by a given entity are recorded only in A6 records
652 held by that entity. Those bits could be entered into A6 records in
653 the lower-level entity's zone instead, thus:
655 IP6.X.EXAMPLE. A6 40 0:0:11:: IP6.A.NET.
656 IP6.X.EXAMPLE. A6 40 0:0:22:: IP6.B.NET.
658 IP6.A.NET. A6 28 0:1:CA00:: IP6.C.NET.
659 and so on.
661 Or the higher-level entities could hold both sorts of A6 records
662 (with different DNS owner names) and allow the lower-level entities
663 to choose either mode of A6 chaining. But the general principle of
664 avoiding data duplication suggests that the proper place to store
665 assigned values is with the entity that assigned them.
667 It is possible, but not necessarily recommended, for a zone
668 maintainer to forego the renumbering support afforded by the chaining
669 of A6 records and to record entire IPv6 addresses within one zone
670 file.
674 Crawford, et al. Standards Track [Page 12]
675 \f
676 RFC 2874 IPv6 DNS July 2000
679 5.2. Reverse Mapping Zones
681 Supposing that address space assignments in the TLAs with Format
682 Prefix (001) binary and IDs 0345, 0678 and 09AB were maintained in
683 zones called ALPHA-TLA.ORG, BRAVO-TLA.ORG and CHARLIE-TLA.XY, then
684 the IP6.ARPA zone would include
686 $ORIGIN IP6.ARPA.
687 \[x234500/24] DNAME IP6.ALPHA-TLA.ORG.
688 \[x267800/24] DNAME IP6.BRAVO-TLA.ORG.
689 \[x29AB00/24] DNAME IP6.CHARLIE-TLA.XY.
691 Eight trailing zero bits have been included in each TLA ID to reflect
692 the eight reserved bits in the current aggregatable global unicast
693 addresses format [AGGR].
695 5.2.1. The TLA level
697 ALPHA-TLA's assignments to network providers C, D and E are reflected
698 in the reverse data as follows.
700 \[xC/4].IP6.ALPHA-TLA.ORG. DNAME IP6.C.NET.
701 \[xD/4].IP6.ALPHA-TLA.ORG. DNAME IP6.D.NET.
702 \[x0E/8].IP6.ALPHA-TLA.ORG. DNAME IP6.E.NET.
704 5.2.2. The ISP level
706 The providers A through E carry the following delegation information
707 in their zone files.
709 \[x1CA/12].IP6.C.NET. DNAME IP6.A.NET.
710 \[x2DA/12].IP6.D.NET. DNAME IP6.A.NET.
711 \[xEB/8].IP6.E.NET. DNAME IP6.B.NET.
712 \[x11/8].IP6.A.NET. DNAME IP6.X.EXAMPLE.
713 \[x22/8].IP6.B.NET. DNAME IP6.X.EXAMPLE.
715 Note that some domain names appear in the RDATA of more than one
716 DNAME record. In those cases, one zone is being used to map multiple
717 prefixes.
719 5.2.3. The Site Level
721 Consider the customer X.EXAMPLE using IP6.X.EXAMPLE for address-to-
722 name translations. This domain is now referenced by two different
723 DNAME records held by two different providers.
730 Crawford, et al. Standards Track [Page 13]
731 \f
732 RFC 2874 IPv6 DNS July 2000
735 $ORIGIN IP6.X.EXAMPLE.
736 \[x0001/16] DNAME SUBNET-1
737 \[x123456789ABCDEF0].SUBNET-1 PTR N.X.EXAMPLE.
738 and so on.
740 SUBNET-1 need not have been named in a DNAME record; the subnet bits
741 could have been joined with the interface identifier. But if subnets
742 are treated alike in both the A6 records and in the reverse zone, it
743 will always be possible to keep the forward and reverse definition
744 data for each prefix in one zone.
746 5.3. Lookups
748 A DNS resolver looking for a hostname for the address
749 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 would acquire certain of the
750 DNAME records shown above and would form new queries. Assuming that
751 it began the process knowing servers for IP6.ARPA, but that no server
752 it consulted provided recursion and none had other useful additional
753 information cached, the sequence of queried names and responses would
754 be (all with QCLASS=IN, QTYPE=PTR):
756 To a server for IP6.ARPA:
757 QNAME=\[x234500C1CA110001123456789ABCDEF0/128].IP6.ARPA.
759 Answer:
760 \[x234500/24].IP6.ARPA. DNAME IP6.ALPHA-TLA.ORG.
762 To a server for IP6.ALPHA-TLA.ORG:
763 QNAME=\[xC1CA110001123456789ABCDEF0/104].IP6.ALPHA-TLA.ORG.
765 Answer:
766 \[xC/4].IP6.ALPHA-TLA.ORG. DNAME IP6.C.NET.
768 To a server for IP6.C.NET.:
769 QNAME=\[x1CA110001123456789ABCDEF0/100].IP6.C.NET.
771 Answer:
772 \[x1CA/12].IP6.C.NET. DNAME IP6.A.NET.
774 To a server for IP6.A.NET.:
775 QNAME=\[x110001123456789ABCDEF0/88].IP6.A.NET.
777 Answer:
778 \[x11/8].IP6.A.NET. DNAME IP6.X.EXAMPLE.
780 To a server for IP6.X.EXAMPLE.:
781 QNAME=\[x0001123456789ABCDEF0/80].IP6.X.EXAMPLE.
786 Crawford, et al. Standards Track [Page 14]
787 \f
788 RFC 2874 IPv6 DNS July 2000
791 Answer:
792 \[x0001/16].IP6.X.EXAMPLE. DNAME SUBNET-1.IP6.X.EXAMPLE.
793 \[x123456789ABCDEF0/64].SUBNET-1.X.EXAMPLE. PTR N.X.EXAMPLE.
795 All the DNAME (and NS) records acquired along the way can be cached
796 to expedite resolution of addresses topologically near to this
797 address. And if another global address of N.X.EXAMPLE were resolved
798 within the TTL of the final PTR record, that record would not have to
799 be fetched again.
801 5.4. Operational Note
803 In the illustrations in section 5.1, hierarchically adjacent
804 entities, such as a network provider and a customer, must agree on a
805 DNS name which will own the definition of the delegated prefix(es).
806 One simple convention would be to use a bit-string label representing
807 exactly the bits which are assigned to the lower-level entity by the
808 higher. For example, "SUBSCRIBER-X" could be replaced by "\[x11/8]".
809 This would place the A6 record(s) defining the delegated prefix at
810 exactly the same point in the DNS tree as the DNAME record associated
811 with that delegation. The cost of this simplification is that the
812 lower-level zone must update its upward-pointing A6 records when it
813 is renumbered. This cost may be found quite acceptable in practice.
815 6. Transition from RFC 1886 and Deployment Notes
817 When prefixes have been "delegated upward" with A6 records, the
818 number of DNS resource records required to establish a single IPv6
819 address increases by some non-trivial factor. Those records will
820 typically, but not necessarily, come from different DNS zones (which
821 can independently suffer failures for all the usual reasons). When
822 obtaining multiple IPv6 addresses together, this increase in RR count
823 will be proportionally less -- and the total size of a DNS reply
824 might even decrease -- if the addresses are topologically clustered.
825 But the records could still easily exceed the space available in a
826 UDP response which returns a large RRset [DNSCLAR] to an MX, NS, or
827 SRV query, for example. The possibilities for overall degradation of
828 performance and reliability of DNS lookups are numerous, and increase
829 with the number of prefix delegations involved, especially when those
830 delegations point to records in other zones.
832 DNS Security [DNSSEC] addresses the trustworthiness of cached data,
833 which is a problem intrinsic to DNS, but the cost of applying this to
834 an IPv6 address is multiplied by a factor which may be greater than
835 the number of prefix delegations involved if different signature
836 chains must be verified for different A6 records. If a trusted
837 centralized caching server (as in [TSIG], for example) is used, this
838 cost might be amortized to acceptable levels. One new phenomenon is
842 Crawford, et al. Standards Track [Page 15]
843 \f
844 RFC 2874 IPv6 DNS July 2000
847 the possibility that IPv6 addresses may be formed from a A6 records
848 from a combination of secure and unsecured zones.
850 Until more deployment experience is gained with the A6 record, it is
851 recommended that prefix delegations be limited to one or two levels.
852 A reasonable phasing-in mechanism would be to start with no prefix
853 delegations (all A6 records having prefix length 0) and then to move
854 to the use of a single level of delegation within a single zone. (If
855 the TTL of the "prefix" A6 records is kept to an appropriate duration
856 the capability for rapid renumbering is not lost.) More aggressively
857 flexible delegation could be introduced for a subset of hosts for
858 experimentation.
860 6.1. Transition from AAAA and Coexistence with A Records
862 Administrators of zones which contain A6 records can easily
863 accommodate deployed resolvers which understand AAAA records but not
864 A6 records. Such administrators can do automatic generation of AAAA
865 records for all of a zone's names which own A6 records by a process
866 which mimics the resolution of a hostname to an IPv6 address (see
867 section 3.1.4). Attention must be paid to the TTL assigned to a
868 generated AAAA record, which MUST be no more than the minimum of the
869 TTLs of the A6 records that were used to form the IPv6 address in
870 that record. For full robustness, those A6 records which were in
871 different zones should be monitored for changes (in TTL or RDATA)
872 even when there are no changes to zone for which AAAA records are
873 being generated. If the zone is secure [DNSSEC], the generated AAAA
874 records MUST be signed along with the rest of the zone data.
876 A zone-specific heuristic MAY be used to avoid generation of AAAA
877 records for A6 records which record prefixes, although such
878 superfluous records would be relatively few in number and harmless.
879 Examples of such heuristics include omitting A6 records with a prefix
880 length less than the largest value found in the zone file, or records
881 with an address suffix field with a certain number of trailing zero
882 bits.
884 On the client side, when looking up and IPv6 address, the order of A6
885 and AAAA queries MAY be configurable to be one of: A6, then AAAA;
886 AAAA, then A6; A6 only; or both in parallel. The default order (or
887 only order, if not configurable) MUST be to try A6 first, then AAAA.
888 If and when the AAAA becomes deprecated a new document will change
889 the default.
891 The guidelines and options for precedence between IPv4 and IPv6
892 addresses are specified in [TRANS]. All mentions of AAAA records in
893 that document are henceforth to be interpreted as meaning A6 and/or
894 AAAA records in the order specified in the previous paragraph.
898 Crawford, et al. Standards Track [Page 16]
899 \f
900 RFC 2874 IPv6 DNS July 2000
903 6.2. Transition from Nibble Labels to Binary Labels
905 Implementations conforming to RFC 1886 [AAAA] perform reverse lookups
906 as follows:
908 An IPv6 address is represented as a name in the IP6.INT domain by
909 a sequence of nibbles separated by dots with the suffix
910 ".IP6.INT". The sequence of nibbles is encoded in reverse order,
911 i.e. the low-order nibble is encoded first, followed by the next
912 low-order nibble and so on. Each nibble is represented by a
913 hexadecimal digit. For example, a name for the address
914 2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 of the example in section
915 5.3 would be sought at the DNS name "0.f.e.d.c.b.a.9.-
916 8.7.6.5.4.3.2.1.1.0.0.0.1.1.a.c.1.c.0.0.5.4.3.2.ip6.int."
918 Implementations conforming to this specification will perform a
919 lookup of a binary label in IP6.ARPA as specified in Section 3.2. It
920 is RECOMMENDED that for a transition period implementations first
921 lookup the binary label in IP6.ARPA and if this fails try to lookup
922 the 'nibble' label in IP6.INT.
924 7. Security Considerations
926 The signing authority [DNSSEC] for the A6 records which determine an
927 IPv6 address is distributed among several entities, reflecting the
928 delegation path of the address space which that address occupies.
929 DNS Security is fully applicable to bit-string labels and DNAME
930 records. And just as in IPv4, verification of name-to-address
931 mappings is logically independent of verification of address-to-name
932 mappings.
934 With or without DNSSEC, the incomplete but non-empty address set
935 scenario of section 3.1.4 could be caused by selective interference
936 with DNS lookups. If in some situation this would be more harmful
937 than complete DNS failure, it might be mitigated on the client side
938 by refusing to act on an incomplete set, or on the server side by
939 listing all addresses in A6 records with prefix length 0.
941 8. IANA Considerations
943 The A6 resource record has been assigned a Type value of 38.
954 Crawford, et al. Standards Track [Page 17]
955 \f
956 RFC 2874 IPv6 DNS July 2000
959 9. Acknowledgments
961 The authors would like to thank the following persons for valuable
962 discussions and reviews: Mark Andrews, Rob Austein, Jim Bound, Randy
963 Bush, Brian Carpenter, David Conrad, Steve Deering, Francis Dupont,
964 Robert Elz, Bob Fink, Olafur Gudmundsson, Bob Halley, Bob Hinden,
965 Edward Lewis, Bill Manning, Keith Moore, Thomas Narten, Erik
966 Nordmark, Mike O'Dell, Michael Patton and Ken Powell.
968 10. References
970 [AAAA] Thomson, S. and C. Huitema, "DNS Extensions to support IP
971 version 6, RFC 1886, December 1995.
973 [AARCH] Hinden, R. and S. Deering, "IP Version 6 Addressing
974 Architecture", RFC 2373, July 1998.
976 [AGGR] Hinden, R., O'Dell, M. and S. Deering, "An IPv6
977 Aggregatable Global Unicast Address Format", RFC 2374, July
978 1998.
980 [BITLBL] Crawford, M., "Binary Labels in the Domain Name System",
981 RFC 2673, August 1999.
983 [DNAME] Crawford, M., "Non-Terminal DNS Name Redirection", RFC
984 2672, August 1999.
986 [DNSCLAR] Elz, R. and R. Bush, "Clarifications to the DNS
987 Specification", RFC 2181, July 1997.
989 [DNSIS] Mockapetris, P., "Domain names - implementation and
990 specification", STD 13, RFC 1035, November 1987.
992 [DNSSEC] Eastlake, D. 3rd and C. Kaufman, "Domain Name System
993 Security Extensions", RFC 2535, March 1999.
995 [KWORD] Bradner, S., "Key words for use in RFCs to Indicate
996 Requirement Levels", BCP 14, RFC 2119, March 1997.
998 [RENUM1] Carpenter, B. and Y. Rekhter, "Renumbering Needs Work", RFC
999 1900, February 1996.
1001 [RENUM2] Ferguson, P. and H. Berkowitz, "Network Renumbering
1002 Overview: Why would I want it and what is it anyway?", RFC
1003 2071, January 1997.
1005 [RENUM3] Carpenter, B., Crowcroft, J. and Y. Rekhter, "IPv4 Address
1006 Behaviour Today", RFC 2101, February 1997.
1010 Crawford, et al. Standards Track [Page 18]
1011 \f
1012 RFC 2874 IPv6 DNS July 2000
1015 [TRANS] Gilligan, R. and E. Nordmark, "Transition Mechanisms for
1016 IPv6 Hosts and Routers", RFC 1933, April 1996.
1018 [TSIG] Vixie, P., Gudmundsson, O., Eastlake, D. 3rd and B.
1019 Wellington, "Secret Key Transaction Authentication for DNS
1020 (TSIG)", RFC 2845, May 2000.
1022 11. Authors' Addresses
1024 Matt Crawford
1025 Fermilab
1026 MS 368
1027 PO Box 500
1028 Batavia, IL 60510
1029 USA
1031 Phone: +1 630 840-3461
1032 EMail: crawdad@fnal.gov
1035 Christian Huitema
1036 Microsoft Corporation
1037 One Microsoft Way
1038 Redmond, WA 98052-6399
1040 EMail: huitema@microsoft.com
1066 Crawford, et al. Standards Track [Page 19]
1067 \f
1068 RFC 2874 IPv6 DNS July 2000
1071 12. Full Copyright Statement
1073 Copyright (C) The Internet Society (2000). All Rights Reserved.
1075 This document and translations of it may be copied and furnished to
1076 others, and derivative works that comment on or otherwise explain it
1077 or assist in its implementation may be prepared, copied, published
1078 and distributed, in whole or in part, without restriction of any
1079 kind, provided that the above copyright notice and this paragraph are
1080 included on all such copies and derivative works. However, this
1081 document itself may not be modified in any way, such as by removing
1082 the copyright notice or references to the Internet Society or other
1083 Internet organizations, except as needed for the purpose of
1084 developing Internet standards in which case the procedures for
1085 copyrights defined in the Internet Standards process must be
1086 followed, or as required to translate it into languages other than
1087 English.
1089 The limited permissions granted above are perpetual and will not be
1090 revoked by the Internet Society or its successors or assigns.
1092 This document and the information contained herein is provided on an
1093 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1094 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1095 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1096 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1097 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1099 Acknowledgement
1101 Funding for the RFC Editor function is currently provided by the
1102 Internet Society.
1122 Crawford, et al. Standards Track [Page 20]
1123 \f