| blob | b396e9a11a55ee89b2ec04357d15313fb6335e95 |
7 Network Working Group A. Durand
8 Request for Comments: 4472 Comcast
9 Category: Informational J. Ihren
10 Autonomica
11 P. Savola
12 CSC/FUNET
13 April 2006
16 Operational Considerations and Issues with IPv6 DNS
18 Status of This Memo
20 This memo provides information for the Internet community. It does
21 not specify an Internet standard of any kind. Distribution of this
22 memo is unlimited.
24 Copyright Notice
26 Copyright (C) The Internet Society (2006).
28 Abstract
30 This memo presents operational considerations and issues with IPv6
31 Domain Name System (DNS), including a summary of special IPv6
32 addresses, documentation of known DNS implementation misbehavior,
33 recommendations and considerations on how to perform DNS naming for
34 service provisioning and for DNS resolver IPv6 support,
35 considerations for DNS updates for both the forward and reverse
36 trees, and miscellaneous issues. This memo is aimed to include a
37 summary of information about IPv6 DNS considerations for those who
38 have experience with IPv4 DNS.
40 Table of Contents
42 1. Introduction ....................................................3
43 1.1. Representing IPv6 Addresses in DNS Records .................3
44 1.2. Independence of DNS Transport and DNS Records ..............4
45 1.3. Avoiding IPv4/IPv6 Name Space Fragmentation ................4
46 1.4. Query Type '*' and A/AAAA Records ..........................4
47 2. DNS Considerations about Special IPv6 Addresses .................5
48 2.1. Limited-Scope Addresses ....................................5
49 2.2. Temporary Addresses ........................................5
50 2.3. 6to4 Addresses .............................................5
51 2.4. Other Transition Mechanisms ................................5
52 3. Observed DNS Implementation Misbehavior .........................6
53 3.1. Misbehavior of DNS Servers and Load-balancers ..............6
54 3.2. Misbehavior of DNS Resolvers ...............................6
58 Durand, et al. Informational [Page 1]
59 \f
60 RFC 4472 Considerations with IPv6 DNS April 2006
63 4. Recommendations for Service Provisioning Using DNS ..............7
64 4.1. Use of Service Names instead of Node Names .................7
65 4.2. Separate vs. the Same Service Names for IPv4 and IPv6 ......8
66 4.3. Adding the Records Only When Fully IPv6-enabled ............8
67 4.4. The Use of TTL for IPv4 and IPv6 RRs .......................9
68 4.4.1. TTL with Courtesy Additional Data ...................9
69 4.4.2. TTL with Critical Additional Data ..................10
70 4.5. IPv6 Transport Guidelines for DNS Servers .................10
71 5. Recommendations for DNS Resolver IPv6 Support ..................10
72 5.1. DNS Lookups May Query IPv6 Records Prematurely ............10
73 5.2. Obtaining a List of DNS Recursive Resolvers ...............12
74 5.3. IPv6 Transport Guidelines for Resolvers ...................12
75 6. Considerations about Forward DNS Updating ......................13
76 6.1. Manual or Custom DNS Updates ..............................13
77 6.2. Dynamic DNS ...............................................13
78 7. Considerations about Reverse DNS Updating ......................14
79 7.1. Applicability of Reverse DNS ..............................14
80 7.2. Manual or Custom DNS Updates ..............................15
81 7.3. DDNS with Stateless Address Autoconfiguration .............16
82 7.4. DDNS with DHCP ............................................17
83 7.5. DDNS with Dynamic Prefix Delegation .......................17
84 8. Miscellaneous DNS Considerations ...............................18
85 8.1. NAT-PT with DNS-ALG .......................................18
86 8.2. Renumbering Procedures and Applications' Use of DNS .......18
87 9. Acknowledgements ...............................................19
88 10. Security Considerations .......................................19
89 11. References ....................................................20
90 11.1. Normative References .....................................20
91 11.2. Informative References ...................................22
92 Appendix A. Unique Local Addressing Considerations for DNS ........24
93 Appendix B. Behavior of Additional Data in IPv4/IPv6
94 Environments ..........................................24
95 B.1. Description of Additional Data Scenarios ..................24
96 B.2. Which Additional Data to Keep, If Any? ....................26
97 B.3. Discussion of the Potential Problems ......................27
114 Durand, et al. Informational [Page 2]
115 \f
116 RFC 4472 Considerations with IPv6 DNS April 2006
119 1. Introduction
121 This memo presents operational considerations and issues with IPv6
122 DNS; it is meant to be an extensive summary and a list of pointers
123 for more information about IPv6 DNS considerations for those with
124 experience with IPv4 DNS.
126 The purpose of this document is to give information about various
127 issues and considerations related to DNS operations with IPv6; it is
128 not meant to be a normative specification or standard for IPv6 DNS.
130 The first section gives a brief overview of how IPv6 addresses and
131 names are represented in the DNS, how transport protocols and
132 resource records (don't) relate, and what IPv4/IPv6 name space
133 fragmentation means and how to avoid it; all of these are described
134 at more length in other documents.
136 The second section summarizes the special IPv6 address types and how
137 they relate to DNS. The third section describes observed DNS
138 implementation misbehaviors that have a varying effect on the use of
139 IPv6 records with DNS. The fourth section lists recommendations and
140 considerations for provisioning services with DNS. The fifth section
141 in turn looks at recommendations and considerations about providing
142 IPv6 support in the resolvers. The sixth and seventh sections
143 describe considerations with forward and reverse DNS updates,
144 respectively. The eighth section introduces several miscellaneous
145 IPv6 issues relating to DNS for which no better place has been found
146 in this memo. Appendix A looks briefly at the requirements for
147 unique local addressing. Appendix B discusses additional data.
149 1.1. Representing IPv6 Addresses in DNS Records
151 In the forward zones, IPv6 addresses are represented using AAAA
152 records. In the reverse zones, IPv6 address are represented using
153 PTR records in the nibble format under the ip6.arpa. tree. See
154 [RFC3596] for more about IPv6 DNS usage, and [RFC3363] or [RFC3152]
155 for background information.
157 In particular, one should note that the use of A6 records in the
158 forward tree or Bitlabels in the reverse tree is not recommended
159 [RFC3363]. Using DNAME records is not recommended in the reverse
160 tree in conjunction with A6 records; the document did not mean to
161 take a stance on any other use of DNAME records [RFC3364].
170 Durand, et al. Informational [Page 3]
171 \f
172 RFC 4472 Considerations with IPv6 DNS April 2006
175 1.2. Independence of DNS Transport and DNS Records
177 DNS has been designed to present a single, globally unique name space
178 [RFC2826]. This property should be maintained, as described here and
179 in Section 1.3.
181 The IP version used to transport the DNS queries and responses is
182 independent of the records being queried: AAAA records can be queried
183 over IPv4, and A records over IPv6. The DNS servers must not make
184 any assumptions about what data to return for Answer and Authority
185 sections based on the underlying transport used in a query.
187 However, there is some debate whether the addresses in Additional
188 section could be selected or filtered using hints obtained from which
189 transport was being used; this has some obvious problems because in
190 many cases the transport protocol does not correlate with the
191 requests, and because a "bad" answer is in a way worse than no answer
192 at all (consider the case where the client is led to believe that a
193 name received in the additional record does not have any AAAA records
194 at all).
196 As stated in [RFC3596]:
198 The IP protocol version used for querying resource records is
199 independent of the protocol version of the resource records; e.g.,
200 IPv4 transport can be used to query IPv6 records and vice versa.
202 1.3. Avoiding IPv4/IPv6 Name Space Fragmentation
204 To avoid the DNS name space from fragmenting into parts where some
205 parts of DNS are only visible using IPv4 (or IPv6) transport, the
206 recommendation is to always keep at least one authoritative server
207 IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
208 See DNS IPv6 transport guidelines [RFC3901] for more information.
210 1.4. Query Type '*' and A/AAAA Records
212 QTYPE=* is typically only used for debugging or management purposes;
213 it is worth keeping in mind that QTYPE=* ("ANY" queries) only return
214 any available RRsets, not *all* the RRsets, because the caches do not
215 necessarily have all the RRsets and have no way of guaranteeing that
216 they have all the RRsets. Therefore, to get both A and AAAA records
217 reliably, two separate queries must be made.
226 Durand, et al. Informational [Page 4]
227 \f
228 RFC 4472 Considerations with IPv6 DNS April 2006
231 2. DNS Considerations about Special IPv6 Addresses
233 There are a couple of IPv6 address types that are somewhat special;
234 these are considered here.
236 2.1. Limited-Scope Addresses
238 The IPv6 addressing architecture [RFC4291] includes two kinds of
239 local-use addresses: link-local (fe80::/10) and site-local
240 (fec0::/10). The site-local addresses have been deprecated [RFC3879]
241 but are discussed with unique local addresses in Appendix A.
243 Link-local addresses should never be published in DNS (whether in
244 forward or reverse tree), because they have only local (to the
245 connected link) significance [WIP-DC2005].
247 2.2. Temporary Addresses
249 Temporary addresses defined in RFC 3041 [RFC3041] (sometimes called
250 "privacy addresses") use a random number as the interface identifier.
251 Having DNS AAAA records that are updated to always contain the
252 current value of a node's temporary address would defeat the purpose
253 of the mechanism and is not recommended. However, it would still be
254 possible to return a non-identifiable name (e.g., the IPv6 address in
255 hexadecimal format), as described in [RFC3041].
257 2.3. 6to4 Addresses
259 6to4 [RFC3056] specifies an automatic tunneling mechanism that maps a
260 public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
262 If the reverse DNS population would be desirable (see Section 7.1 for
263 applicability), there are a number of possible ways to do so.
265 [WIP-H2005] aims to design an autonomous reverse-delegation system
266 that anyone being capable of communicating using a specific 6to4
267 address would be able to set up a reverse delegation to the
268 corresponding 6to4 prefix. This could be deployed by, e.g., Regional
269 Internet Registries (RIRs). This is a practical solution, but may
270 have some scalability concerns.
272 2.4. Other Transition Mechanisms
274 6to4 is mentioned as a case of an IPv6 transition mechanism requiring
275 special considerations. In general, mechanisms that include a
276 special prefix may need a custom solution; otherwise, for example,
277 when IPv4 address is embedded as the suffix or not embedded at all,
278 special solutions are likely not needed.
282 Durand, et al. Informational [Page 5]
283 \f
284 RFC 4472 Considerations with IPv6 DNS April 2006
287 Note that it does not seem feasible to provide reverse DNS with
288 another automatic tunneling mechanism, Teredo [RFC4380]; this is
289 because the IPv6 address is based on the IPv4 address and UDP port of
290 the current Network Address Translation (NAT) mapping, which is
291 likely to be relatively short-lived.
293 3. Observed DNS Implementation Misbehavior
295 Several classes of misbehavior in DNS servers, load-balancers, and
296 resolvers have been observed. Most of these are rather generic, not
297 only applicable to IPv6 -- but in some cases, the consequences of
298 this misbehavior are extremely severe in IPv6 environments and
299 deserve to be mentioned.
301 3.1. Misbehavior of DNS Servers and Load-balancers
303 There are several classes of misbehavior in certain DNS servers and
304 load-balancers that have been noticed and documented [RFC4074]: some
305 implementations silently drop queries for unimplemented DNS records
306 types, or provide wrong answers to such queries (instead of a proper
307 negative reply). While typically these issues are not limited to
308 AAAA records, the problems are aggravated by the fact that AAAA
309 records are being queried instead of (mainly) A records.
311 The problems are serious because when looking up a DNS name, typical
312 getaddrinfo() implementations, with AF_UNSPEC hint given, first try
313 to query the AAAA records of the name, and after receiving a
314 response, query the A records. This is done in a serial fashion --
315 if the first query is never responded to (instead of properly
316 returning a negative answer), significant time-outs will occur.
318 In consequence, this is an enormous problem for IPv6 deployments, and
319 in some cases, IPv6 support in the software has even been disabled
320 due to these problems.
322 The solution is to fix or retire those misbehaving implementations,
323 but that is likely not going to be effective. There are some
324 possible ways to mitigate the problem, e.g., by performing the
325 lookups somewhat in parallel and reducing the time-out as long as at
326 least one answer has been received, but such methods remain to be
327 investigated; slightly more on this is included in Section 5.
329 3.2. Misbehavior of DNS Resolvers
331 Several classes of misbehavior have also been noticed in DNS
332 resolvers [WIP-LB2005]. However, these do not seem to directly
333 impair IPv6 use, and are only referred to for completeness.
338 Durand, et al. Informational [Page 6]
339 \f
340 RFC 4472 Considerations with IPv6 DNS April 2006
343 4. Recommendations for Service Provisioning Using DNS
345 When names are added in the DNS to facilitate a service, there are
346 several general guidelines to consider to be able to do it as
347 smoothly as possible.
349 4.1. Use of Service Names instead of Node Names
351 It makes sense to keep information about separate services logically
352 separate in the DNS by using a different DNS hostname for each
353 service. There are several reasons for doing this, for example:
355 o It allows more flexibility and ease for migration of (only a part
356 of) services from one node to another,
358 o It allows configuring different properties (e.g., Time to Live
359 (TTL)) for each service, and
361 o It allows deciding separately for each service whether or not to
362 publish the IPv6 addresses (in cases where some services are more
363 IPv6-ready than others).
365 Using SRV records [RFC2782] would avoid these problems.
366 Unfortunately, those are not sufficiently widely used to be
367 applicable in most cases. Hence an operation technique is to use
368 service names instead of node names (or "hostnames"). This
369 operational technique is not specific to IPv6, but required to
370 understand the considerations described in Section 4.2 and
371 Section 4.3.
373 For example, assume a node named "pobox.example.com" provides both
374 SMTP and IMAP service. Instead of configuring the MX records to
375 point at "pobox.example.com", and configuring the mail clients to
376 look up the mail via IMAP from "pobox.example.com", one could use,
377 e.g., "smtp.example.com" for SMTP (for both message submission and
378 mail relaying between SMTP servers) and "imap.example.com" for IMAP.
379 Note that in the specific case of SMTP relaying, the server itself
380 must typically also be configured to know all its names to ensure
381 that loops do not occur. DNS can provide a layer of indirection
382 between service names and where the service actually is, and using
383 which addresses. (Obviously, when wanting to reach a specific node,
384 one should use the hostname rather than a service name.)
394 Durand, et al. Informational [Page 7]
395 \f
396 RFC 4472 Considerations with IPv6 DNS April 2006
399 4.2. Separate vs. the Same Service Names for IPv4 and IPv6
401 The service naming can be achieved in basically two ways: when a
402 service is named "service.example.com" for IPv4, the IPv6-enabled
403 service could either be added to "service.example.com" or added
404 separately under a different name, e.g., in a sub-domain like
405 "service.ipv6.example.com".
407 These two methods have different characteristics. Using a different
408 name allows for easier service piloting, minimizing the disturbance
409 to the "regular" users of IPv4 service; however, the service would
410 not be used transparently, without the user/application explicitly
411 finding it and asking for it -- which would be a disadvantage in most
412 cases. When the different name is under a sub-domain, if the
413 services are deployed within a restricted network (e.g., inside an
414 enterprise), it's possible to prefer them transparently, at least to
415 a degree, by modifying the DNS search path; however, this is a
416 suboptimal solution. Using the same service name is the "long-term"
417 solution, but may degrade performance for those clients whose IPv6
418 performance is lower than IPv4, or does not work as well (see
419 Section 4.3 for more).
421 In most cases, it makes sense to pilot or test a service using
422 separate service names, and move to the use of the same name when
423 confident enough that the service level will not degrade for the
424 users unaware of IPv6.
426 4.3. Adding the Records Only When Fully IPv6-enabled
428 The recommendation is that AAAA records for a service should not be
429 added to the DNS until all of following are true:
431 1. The address is assigned to the interface on the node.
433 2. The address is configured on the interface.
435 3. The interface is on a link that is connected to the IPv6
436 infrastructure.
438 In addition, if the AAAA record is added for the node, instead of
439 service as recommended, all the services of the node should be IPv6-
440 enabled prior to adding the resource record.
442 For example, if an IPv6 node is isolated from an IPv6 perspective
443 (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
444 that it should not have an address in the DNS.
450 Durand, et al. Informational [Page 8]
451 \f
452 RFC 4472 Considerations with IPv6 DNS April 2006
455 Consider the case of two dual-stack nodes, which both are IPv6-
456 enabled, but the server does not have (global) IPv6 connectivity. As
457 the client looks up the server's name, only A records are returned
458 (if the recommendations above are followed), and no IPv6
459 communication, which would have been unsuccessful, is even attempted.
461 The issues are not always so black-and-white. Usually, it's
462 important that the service offered using both protocols is of roughly
463 equal quality, using the appropriate metrics for the service (e.g.,
464 latency, throughput, low packet loss, general reliability, etc.).
465 This is typically very important especially for interactive or real-
466 time services. In many cases, the quality of IPv6 connectivity may
467 not yet be equal to that of IPv4, at least globally; this has to be
468 taken into consideration when enabling services.
470 4.4. The Use of TTL for IPv4 and IPv6 RRs
472 The behavior of DNS caching when different TTL values are used for
473 different RRsets of the same name calls for explicit discussion. For
474 example, let's consider two unrelated zone fragments:
476 example.com. 300 IN MX foo.example.com.
477 foo.example.com. 300 IN A 192.0.2.1
478 foo.example.com. 100 IN AAAA 2001:db8::1
480 ...
482 child.example.com. 300 IN NS ns.child.example.com.
483 ns.child.example.com. 300 IN A 192.0.2.1
484 ns.child.example.com. 100 IN AAAA 2001:db8::1
486 In the former case, we have "courtesy" additional data; in the
487 latter, we have "critical" additional data. See more extensive
488 background discussion of additional data handling in Appendix B.
490 4.4.1. TTL with Courtesy Additional Data
492 When a caching resolver asks for the MX record of example.com, it
493 gets back "foo.example.com". It may also get back either one or both
494 of the A and AAAA records in the additional section. The resolver
495 must explicitly query for both A and AAAA records [RFC2821].
497 After 100 seconds, the AAAA record is removed from the cache(s)
498 because its TTL expired. It could be argued to be useful for the
499 caching resolvers to discard the A record when the shorter TTL (in
500 this case, for the AAAA record) expires; this would avoid the
501 situation where there would be a window of 200 seconds when
502 incomplete information is returned from the cache. Further argument
506 Durand, et al. Informational [Page 9]
507 \f
508 RFC 4472 Considerations with IPv6 DNS April 2006
511 for discarding is that in the normal operation, the TTL values are so
512 high that very likely the incurred additional queries would not be
513 noticeable, compared to the obtained performance optimization. The
514 behavior in this scenario is unspecified.
516 4.4.2. TTL with Critical Additional Data
518 The difference to courtesy additional data is that the A/AAAA records
519 served by the parent zone cannot be queried explicitly. Therefore,
520 after 100 seconds the AAAA record is removed from the cache(s), but
521 the A record remains. Queries for the remaining 200 seconds
522 (provided that there are no further queries from the parent that
523 could refresh the caches) only return the A record, leading to a
524 potential operational situation with unreachable servers.
526 Similar cache flushing strategies apply in this scenario; the
527 behavior is likewise unspecified.
529 4.5. IPv6 Transport Guidelines for DNS Servers
531 As described in Section 1.3 and [RFC3901], there should continue to
532 be at least one authoritative IPv4 DNS server for every zone, even if
533 the zone has only IPv6 records. (Note that obviously, having more
534 servers with robust connectivity would be preferable, but this is the
535 minimum recommendation; also see [RFC2182].)
537 5. Recommendations for DNS Resolver IPv6 Support
539 When IPv6 is enabled on a node, there are several things to consider
540 to ensure that the process is as smooth as possible.
542 5.1. DNS Lookups May Query IPv6 Records Prematurely
544 The system library that implements the getaddrinfo() function for
545 looking up names is a critical piece when considering the robustness
546 of enabling IPv6; it may come in basically three flavors:
548 1. The system library does not know whether IPv6 has been enabled in
549 the kernel of the operating system: it may start looking up AAAA
550 records with getaddrinfo() and AF_UNSPEC hint when the system is
551 upgraded to a system library version that supports IPv6.
553 2. The system library might start to perform IPv6 queries with
554 getaddrinfo() only when IPv6 has been enabled in the kernel.
555 However, this does not guarantee that there exists any useful
556 IPv6 connectivity (e.g., the node could be isolated from the
557 other IPv6 networks, only having link-local addresses).
562 Durand, et al. Informational [Page 10]
563 \f
564 RFC 4472 Considerations with IPv6 DNS April 2006
567 3. The system library might implement a toggle that would apply some
568 heuristics to the "IPv6-readiness" of the node before starting to
569 perform queries; for example, it could check whether only link-
570 local IPv6 address(es) exists, or if at least one global IPv6
571 address exists.
573 First, let us consider generic implications of unnecessary queries
574 for AAAA records: when looking up all the records in the DNS, AAAA
575 records are typically tried first, and then A records. These are
576 done in serial, and the A query is not performed until a response is
577 received to the AAAA query. Considering the misbehavior of DNS
578 servers and load-balancers, as described in Section 3.1, the lookup
579 delay for AAAA may incur additional unnecessary latency, and
580 introduce a component of unreliability.
582 One option here could be to do the queries partially in parallel; for
583 example, if the final response to the AAAA query is not received in
584 0.5 seconds, start performing the A query while waiting for the
585 result. (Immediate parallelism might not be optimal, at least
586 without information-sharing between the lookup threads, as that would
587 probably lead to duplicate non-cached delegation chain lookups.)
589 An additional concern is the address selection, which may, in some
590 circumstances, prefer AAAA records over A records even when the node
591 does not have any IPv6 connectivity [WIP-RDP2004]. In some cases,
592 the implementation may attempt to connect or send a datagram on a
593 physical link [WIP-R2006], incurring very long protocol time-outs,
594 instead of quickly falling back to IPv4.
596 Now, we can consider the issues specific to each of the three
597 possibilities:
599 In the first case, the node performs a number of completely useless
600 DNS lookups as it will not be able to use the returned AAAA records
601 anyway. (The only exception is where the application desires to know
602 what's in the DNS, but not use the result for communication.) One
603 should be able to disable these unnecessary queries, for both latency
604 and reliability reasons. However, as IPv6 has not been enabled, the
605 connections to IPv6 addresses fail immediately, and if the
606 application is programmed properly, the application can fall
607 gracefully back to IPv4 [RFC4038].
609 The second case is similar to the first, except it happens to a
610 smaller set of nodes when IPv6 has been enabled but connectivity has
611 not been provided yet. Similar considerations apply, with the
612 exception that IPv6 records, when returned, will be actually tried
613 first, which may typically lead to long time-outs.
618 Durand, et al. Informational [Page 11]
619 \f
620 RFC 4472 Considerations with IPv6 DNS April 2006
623 The third case is a bit more complex: optimizing away the DNS lookups
624 with only link-locals is probably safe (but may be desirable with
625 different lookup services that getaddrinfo() may support), as the
626 link-locals are typically automatically generated when IPv6 is
627 enabled, and do not indicate any form of IPv6 connectivity. That is,
628 performing DNS lookups only when a non-link-local address has been
629 configured on any interface could be beneficial -- this would be an
630 indication that the address has been configured either from a router
631 advertisement, Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
632 [RFC3315], or manually. Each would indicate at least some form of
633 IPv6 connectivity, even though there would not be guarantees of it.
635 These issues should be analyzed at more depth, and the fixes found
636 consensus on, perhaps in a separate document.
638 5.2. Obtaining a List of DNS Recursive Resolvers
640 In scenarios where DHCPv6 is available, a host can discover a list of
641 DNS recursive resolvers through the DHCPv6 "DNS Recursive Name
642 Server" option [RFC3646]. This option can be passed to a host
643 through a subset of DHCPv6 [RFC3736].
645 The IETF is considering the development of alternative mechanisms for
646 obtaining the list of DNS recursive name servers when DHCPv6 is
647 unavailable or inappropriate. No decision about taking on this
648 development work has been reached as of this writing [RFC4339].
650 In scenarios where DHCPv6 is unavailable or inappropriate, mechanisms
651 under consideration for development include the use of [WIP-O2004]
652 and the use of Router Advertisements to convey the information
653 [WIP-J2006].
655 Note that even though IPv6 DNS resolver discovery is a recommended
656 procedure, it is not required for dual-stack nodes in dual-stack
657 networks as IPv6 DNS records can be queried over IPv4 as well as
658 IPv6. Obviously, nodes that are meant to function without manual
659 configuration in IPv6-only networks must implement the DNS resolver
660 discovery function.
662 5.3. IPv6 Transport Guidelines for Resolvers
664 As described in Section 1.3 and [RFC3901], the recursive resolvers
665 should be IPv4-only or dual-stack to be able to reach any IPv4-only
666 DNS server. Note that this requirement is also fulfilled by an IPv6-
667 only stub resolver pointing to a dual-stack recursive DNS resolver.
674 Durand, et al. Informational [Page 12]
675 \f
676 RFC 4472 Considerations with IPv6 DNS April 2006
679 6. Considerations about Forward DNS Updating
681 While the topic of how to enable updating the forward DNS, i.e., the
682 mapping from names to the correct new addresses, is not specific to
683 IPv6, it should be considered especially due to the advent of
684 Stateless Address Autoconfiguration [RFC2462].
686 Typically, forward DNS updates are more manageable than doing them in
687 the reverse DNS, because the updater can often be assumed to "own" a
688 certain DNS name -- and we can create a form of security relationship
689 with the DNS name and the node that is allowed to update it to point
690 to a new address.
692 A more complex form of DNS updates -- adding a whole new name into a
693 DNS zone, instead of updating an existing name -- is considered out
694 of scope for this memo as it could require zone-wide authentication.
695 Adding a new name in the forward zone is a problem that is still
696 being explored with IPv4, and IPv6 does not seem to add much new in
697 that area.
699 6.1. Manual or Custom DNS Updates
701 The DNS mappings can also be maintained by hand, in a semi-automatic
702 fashion or by running non-standardized protocols. These are not
703 considered at more length in this memo.
705 6.2. Dynamic DNS
707 Dynamic DNS updates (DDNS) [RFC2136] [RFC3007] is a standardized
708 mechanism for dynamically updating the DNS. It works equally well
709 with Stateless Address Autoconfiguration (SLAAC), DHCPv6, or manual
710 address configuration. It is important to consider how each of these
711 behave if IP address-based authentication, instead of stronger
712 mechanisms [RFC3007], was used in the updates.
714 1. Manual addresses are static and can be configured.
716 2. DHCPv6 addresses could be reasonably static or dynamic, depending
717 on the deployment, and could or could not be configured on the
718 DNS server for the long term.
720 3. SLAAC addresses are typically stable for a long time, but could
721 require work to be configured and maintained.
723 As relying on IP addresses for Dynamic DNS is rather insecure at
724 best, stronger authentication should always be used; however, this
725 requires that the authorization keying will be explicitly configured
726 using unspecified operational methods.
730 Durand, et al. Informational [Page 13]
731 \f
732 RFC 4472 Considerations with IPv6 DNS April 2006
735 Note that with DHCP it is also possible that the DHCP server updates
736 the DNS, not the host. The host might only indicate in the DHCP
737 exchange which hostname it would prefer, and the DHCP server would
738 make the appropriate updates. Nonetheless, while this makes setting
739 up a secure channel between the updater and the DNS server easier, it
740 does not help much with "content" security, i.e., whether the
741 hostname was acceptable -- if the DNS server does not include
742 policies, they must be included in the DHCP server (e.g., a regular
743 host should not be able to state that its name is "www.example.com").
744 DHCP-initiated DDNS updates have been extensively described in
745 [WIP-SV2005], [WIP-S2005a], and [WIP-S2005b].
747 The nodes must somehow be configured with the information about the
748 servers where they will attempt to update their addresses, sufficient
749 security material for authenticating themselves to the server, and
750 the hostname they will be updating. Unless otherwise configured, the
751 first could be obtained by looking up the authoritative name servers
752 for the hostname; the second must be configured explicitly unless one
753 chooses to trust the IP address-based authentication (not a good
754 idea); and lastly, the nodename is typically pre-configured somehow
755 on the node, e.g., at install time.
757 Care should be observed when updating the addresses not to use longer
758 TTLs for addresses than are preferred lifetimes for the addresses, so
759 that if the node is renumbered in a managed fashion, the amount of
760 stale DNS information is kept to the minimum. That is, if the
761 preferred lifetime of an address expires, the TTL of the record needs
762 to be modified unless it was already done before the expiration. For
763 better flexibility, the DNS TTL should be much shorter (e.g., a half
764 or a third) than the lifetime of an address; that way, the node can
765 start lowering the DNS TTL if it seems like the address has not been
766 renewed/refreshed in a while. Some discussion on how an
767 administrator could manage the DNS TTL is included in [RFC4192]; this
768 could be applied to (smart) hosts as well.
770 7. Considerations about Reverse DNS Updating
772 Updating the reverse DNS zone may be difficult because of the split
773 authority over an address. However, first we have to consider the
774 applicability of reverse DNS in the first place.
776 7.1. Applicability of Reverse DNS
778 Today, some applications use reverse DNS either to look up some hints
779 about the topological information associated with an address (e.g.,
780 resolving web server access logs) or (as a weak form of a security
781 check) to get a feel whether the user's network administrator has
786 Durand, et al. Informational [Page 14]
787 \f
788 RFC 4472 Considerations with IPv6 DNS April 2006
791 "authorized" the use of the address (on the premise that adding a
792 reverse record for an address would signal some form of
793 authorization).
795 One additional, maybe slightly more useful usage is ensuring that the
796 reverse and forward DNS contents match (by looking up the pointer to
797 the name by the IP address from the reverse tree, and ensuring that a
798 record under the name in the forward tree points to the IP address)
799 and correspond to a configured name or domain. As a security check,
800 it is typically accompanied by other mechanisms, such as a user/
801 password login; the main purpose of the reverse+forward DNS check is
802 to weed out the majority of unauthorized users, and if someone
803 managed to bypass the checks, he would still need to authenticate
804 "properly".
806 It may also be desirable to store IPsec keying material corresponding
807 to an IP address in the reverse DNS, as justified and described in
808 [RFC4025].
810 It is not clear whether it makes sense to require or recommend that
811 reverse DNS records be updated. In many cases, it would just make
812 more sense to use proper mechanisms for security (or topological
813 information lookup) in the first place. At minimum, the applications
814 that use it as a generic authorization (in the sense that a record
815 exists at all) should be modified as soon as possible to avoid such
816 lookups completely.
818 The applicability is discussed at more length in [WIP-S2005c].
820 7.2. Manual or Custom DNS Updates
822 Reverse DNS can of course be updated using manual or custom methods.
823 These are not further described here, except for one special case.
825 One way to deploy reverse DNS would be to use wildcard records, for
826 example, by configuring one name for a subnet (/64) or a site (/48).
827 As a concrete example, a site (or the site's ISP) could configure the
828 reverses of the prefix 2001:db8:f00::/48 to point to one name using a
829 wildcard record like "*.0.0.f.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR
830 site.example.com.". Naturally, such a name could not be verified
831 from the forward DNS, but would at least provide some form of
832 "topological information" or "weak authorization" if that is really
833 considered to be useful. Note that this is not actually updating the
834 DNS as such, as the whole point is to avoid DNS updates completely by
835 manually configuring a generic name.
842 Durand, et al. Informational [Page 15]
843 \f
844 RFC 4472 Considerations with IPv6 DNS April 2006
847 7.3. DDNS with Stateless Address Autoconfiguration
849 Dynamic reverse DNS with SLAAC is simpler than forward DNS updates in
850 some regard, while being more difficult in another, as described
851 below.
853 The address space administrator decides whether or not the hosts are
854 trusted to update their reverse DNS records. If they are trusted and
855 deployed at the same site (e.g., not across the Internet), a simple
856 address-based authorization is typically sufficient (i.e., check that
857 the DNS update is done from the same IP address as the record being
858 updated); stronger security can also be used [RFC3007]. If they
859 aren't allowed to update the reverses, no update can occur. However,
860 such address-based update authorization operationally requires that
861 ingress filtering [RFC3704] has been set up at the border of the site
862 where the updates occur, and as close to the updater as possible.
864 Address-based authorization is simpler with reverse DNS (as there is
865 a connection between the record and the address) than with forward
866 DNS. However, when a stronger form of security is used, forward DNS
867 updates are simpler to manage because the host can be assumed to have
868 an association with the domain. Note that the user may roam to
869 different networks and does not necessarily have any association with
870 the owner of that address space. So, assuming a stronger form of
871 authorization for reverse DNS updates than an address association is
872 generally infeasible.
874 Moreover, the reverse zones must be cleaned up by an unspecified
875 janitorial process: the node does not typically know a priori that it
876 will be disconnected, and it cannot send a DNS update using the
877 correct source address to remove a record.
879 A problem with defining the clean-up process is that it is difficult
880 to ensure that a specific IP address and the corresponding record are
881 no longer being used. Considering the huge address space, and the
882 unlikelihood of collision within 64 bits of the interface
883 identifiers, a process that would remove the record after no traffic
884 has been seen from a node in a long period of time (e.g., a month or
885 year) might be one possible approach.
887 To insert or update the record, the node must discover the DNS server
888 to send the update to somehow, similar to as discussed in
889 Section 6.2. One way to automate this is looking up the DNS server
890 authoritative (e.g., through SOA record) for the IP address being
891 updated, but the security material (unless the IP address-based
892 authorization is trusted) must also be established by some other
893 means.
898 Durand, et al. Informational [Page 16]
899 \f
900 RFC 4472 Considerations with IPv6 DNS April 2006
903 One should note that Cryptographically Generated Addresses (CGAs)
904 [RFC3972] may require a slightly different kind of treatment. CGAs
905 are addresses where the interface identifier is calculated from a
906 public key, a modifier (used as a nonce), the subnet prefix, and
907 other data. Depending on the usage profile, CGAs might or might not
908 be changed periodically due to, e.g., privacy reasons. As the CGA
909 address is not predictable, a reverse record can only reasonably be
910 inserted in the DNS by the node that generates the address.
912 7.4. DDNS with DHCP
914 With DHCPv4, the reverse DNS name is typically already inserted to
915 the DNS that reflects the name (e.g., "dhcp-67.example.com"). One
916 can assume similar practice may become commonplace with DHCPv6 as
917 well; all such mappings would be pre-configured and would require no
918 updating.
920 If a more explicit control is required, similar considerations as
921 with SLAAC apply, except for the fact that typically one must update
922 a reverse DNS record instead of inserting one (if an address
923 assignment policy that reassigns disused addresses is adopted) and
924 updating a record seems like a slightly more difficult thing to
925 secure. However, it is yet uncertain how DHCPv6 is going to be used
926 for address assignment.
928 Note that when using DHCP, either the host or the DHCP server could
929 perform the DNS updates; see the implications in Section 6.2.
931 If disused addresses were to be reassigned, host-based DDNS reverse
932 updates would need policy considerations for DNS record modification,
933 as noted above. On the other hand, if disused address were not to be
934 assigned, host-based DNS reverse updates would have similar
935 considerations as SLAAC in Section 7.3. Server-based updates have
936 similar properties except that the janitorial process could be
937 integrated with DHCP address assignment.
939 7.5. DDNS with Dynamic Prefix Delegation
941 In cases where a prefix, instead of an address, is being used and
942 updated, one should consider what is the location of the server where
943 DDNS updates are made. That is, where the DNS server is located:
945 1. At the same organization as the prefix delegator.
947 2. At the site where the prefixes are delegated to. In this case,
948 the authority of the DNS reverse zone corresponding to the
949 delegated prefix is also delegated to the site.
954 Durand, et al. Informational [Page 17]
955 \f
956 RFC 4472 Considerations with IPv6 DNS April 2006
959 3. Elsewhere; this implies a relationship between the site and where
960 the DNS server is located, and such a relationship should be
961 rather straightforward to secure as well. Like in the previous
962 case, the authority of the DNS reverse zone is also delegated.
964 In the first case, managing the reverse DNS (delegation) is simpler
965 as the DNS server and the prefix delegator are in the same
966 administrative domain (as there is no need to delegate anything at
967 all); alternatively, the prefix delegator might forgo DDNS reverse
968 capability altogether, and use, e.g., wildcard records (as described
969 in Section 7.2). In the other cases, it can be slightly more
970 difficult, particularly as the site will have to configure the DNS
971 server to be authoritative for the delegated reverse zone, implying
972 automatic configuration of the DNS server -- as the prefix may be
973 dynamic.
975 Managing the DDNS reverse updates is typically simple in the second
976 case, as the updated server is located at the local site, and
977 arguably IP address-based authentication could be sufficient (or if
978 not, setting up security relationships would be simpler). As there
979 is an explicit (security) relationship between the parties in the
980 third case, setting up the security relationships to allow reverse
981 DDNS updates should be rather straightforward as well (but IP
982 address-based authentication might not be acceptable). In the first
983 case, however, setting up and managing such relationships might be a
984 lot more difficult.
986 8. Miscellaneous DNS Considerations
988 This section describes miscellaneous considerations about DNS that
989 seem related to IPv6, for which no better place has been found in
990 this document.
992 8.1. NAT-PT with DNS-ALG
994 The DNS-ALG component of NAT-PT [RFC2766] mangles A records to look
995 like AAAA records to the IPv6-only nodes. Numerous problems have
996 been identified with [WIP-AD2005]. This is a strong reason not to
997 use NAT-PT in the first place.
999 8.2. Renumbering Procedures and Applications' Use of DNS
1001 One of the most difficult problems of systematic IP address
1002 renumbering procedures [RFC4192] is that an application that looks up
1003 a DNS name disregards information such as TTL, and uses the result
1004 obtained from DNS as long as it happens to be stored in the memory of
1005 the application. For applications that run for a long time, this
1010 Durand, et al. Informational [Page 18]
1011 \f
1012 RFC 4472 Considerations with IPv6 DNS April 2006
1015 could be days, weeks, or even months. Some applications may be
1016 clever enough to organize the data structures and functions in such a
1017 manner that lookups get refreshed now and then.
1019 While the issue appears to have a clear solution, "fix the
1020 applications", practically, this is not reasonable immediate advice.
1021 The TTL information is not typically available in the APIs and
1022 libraries (so, the advice becomes "fix the applications, APIs, and
1023 libraries"), and a lot more analysis is needed on how to practically
1024 go about to achieve the ultimate goal of avoiding using the names
1025 longer than expected.
1027 9. Acknowledgements
1029 Some recommendations (Section 4.3, Section 5.1) about IPv6 service
1030 provisioning were moved here from [RFC4213] by Erik Nordmark and Bob
1031 Gilligan. Havard Eidnes and Michael Patton provided useful feedback
1032 and improvements. Scott Rose, Rob Austein, Masataka Ohta, and Mark
1033 Andrews helped in clarifying the issues regarding additional data and
1034 the use of TTL. Jefsey Morfin, Ralph Droms, Peter Koch, Jinmei
1035 Tatuya, Iljitsch van Beijnum, Edward Lewis, and Rob Austein provided
1036 useful feedback during the WG last call. Thomas Narten provided
1037 extensive feedback during the IESG evaluation.
1039 10. Security Considerations
1041 This document reviews the operational procedures for IPv6 DNS
1042 operations and does not have security considerations in itself.
1044 However, it is worth noting that in particular with Dynamic DNS
1045 updates, security models based on the source address validation are
1046 very weak and cannot be recommended -- they could only be considered
1047 in the environments where ingress filtering [RFC3704] has been
1048 deployed. On the other hand, it should be noted that setting up an
1049 authorization mechanism (e.g., a shared secret, or public-private
1050 keys) between a node and the DNS server has to be done manually, and
1051 may require quite a bit of time and expertise.
1053 To re-emphasize what was already stated, the reverse+forward DNS
1054 check provides very weak security at best, and the only
1055 (questionable) security-related use for them may be in conjunction
1056 with other mechanisms when authenticating a user.
1066 Durand, et al. Informational [Page 19]
1067 \f
1068 RFC 4472 Considerations with IPv6 DNS April 2006
1071 11. References
1073 11.1. Normative References
1075 [RFC1034] Mockapetris, P., "Domain names - concepts and
1076 facilities", STD 13, RFC 1034, November 1987.
1078 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
1079 "Dynamic Updates in the Domain Name System (DNS
1080 UPDATE)", RFC 2136, April 1997.
1082 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
1083 Specification", RFC 2181, July 1997.
1085 [RFC2182] Elz, R., Bush, R., Bradner, S., and M. Patton,
1086 "Selection and Operation of Secondary DNS Servers",
1087 BCP 16, RFC 2182, July 1997.
1089 [RFC2462] Thomson, S. and T. Narten, "IPv6 Stateless Address
1090 Autoconfiguration", RFC 2462, December 1998.
1092 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
1093 RFC 2671, August 1999.
1095 [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
1096 April 2001.
1098 [RFC3007] Wellington, B., "Secure Domain Name System (DNS)
1099 Dynamic Update", RFC 3007, November 2000.
1101 [RFC3041] Narten, T. and R. Draves, "Privacy Extensions for
1102 Stateless Address Autoconfiguration in IPv6", RFC 3041,
1103 January 2001.
1105 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
1106 via IPv4 Clouds", RFC 3056, February 2001.
1108 [RFC3152] Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
1109 August 2001.
1111 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
1112 and M. Carney, "Dynamic Host Configuration Protocol for
1113 IPv6 (DHCPv6)", RFC 3315, July 2003.
1115 [RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
1116 Hain, "Representing Internet Protocol version 6 (IPv6)
1117 Addresses in the Domain Name System (DNS)", RFC 3363,
1118 August 2002.
1122 Durand, et al. Informational [Page 20]
1123 \f
1124 RFC 4472 Considerations with IPv6 DNS April 2006
1127 [RFC3364] Austein, R., "Tradeoffs in Domain Name System (DNS)
1128 Support for Internet Protocol version 6 (IPv6)",
1129 RFC 3364, August 2002.
1131 [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
1132 "DNS Extensions to Support IP Version 6", RFC 3596,
1133 October 2003.
1135 [RFC3646] Droms, R., "DNS Configuration options for Dynamic Host
1136 Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
1137 December 2003.
1139 [RFC3736] Droms, R., "Stateless Dynamic Host Configuration
1140 Protocol (DHCP) Service for IPv6", RFC 3736,
1141 April 2004.
1143 [RFC3879] Huitema, C. and B. Carpenter, "Deprecating Site Local
1144 Addresses", RFC 3879, September 2004.
1146 [RFC3901] Durand, A. and J. Ihren, "DNS IPv6 Transport
1147 Operational Guidelines", BCP 91, RFC 3901,
1148 September 2004.
1150 [RFC4038] Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E.
1151 Castro, "Application Aspects of IPv6 Transition",
1152 RFC 4038, March 2005.
1154 [RFC4074] Morishita, Y. and T. Jinmei, "Common Misbehavior
1155 Against DNS Queries for IPv6 Addresses", RFC 4074,
1156 May 2005.
1158 [RFC4192] Baker, F., Lear, E., and R. Droms, "Procedures for
1159 Renumbering an IPv6 Network without a Flag Day",
1160 RFC 4192, September 2005.
1162 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
1163 Addresses", RFC 4193, October 2005.
1165 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
1166 Architecture", RFC 4291, February 2006.
1168 [RFC4339] Jeong, J., Ed., "IPv6 Host Configuration of DNS Server
1169 Information Approaches", RFC 4339, February 2006.
1178 Durand, et al. Informational [Page 21]
1179 \f
1180 RFC 4472 Considerations with IPv6 DNS April 2006
1183 11.2. Informative References
1185 [RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address
1186 Translation - Protocol Translation (NAT-PT)", RFC 2766,
1187 February 2000.
1189 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR
1190 for specifying the location of services (DNS SRV)",
1191 RFC 2782, February 2000.
1193 [RFC2826] Internet Architecture Board, "IAB Technical Comment on
1194 the Unique DNS Root", RFC 2826, May 2000.
1196 [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for
1197 Multihomed Networks", BCP 84, RFC 3704, March 2004.
1199 [RFC3972] Aura, T., "Cryptographically Generated Addresses
1200 (CGA)", RFC 3972, March 2005.
1202 [RFC4025] Richardson, M., "A Method for Storing IPsec Keying
1203 Material in DNS", RFC 4025, March 2005.
1205 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition
1206 Mechanisms for IPv6 Hosts and Routers", RFC 4213,
1207 October 2005.
1209 [RFC4215] Wiljakka, J., "Analysis on IPv6 Transition in Third
1210 Generation Partnership Project (3GPP) Networks",
1211 RFC 4215, October 2005.
1213 [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
1214 Network Address Translations (NATs)", RFC 4380,
1215 February 2006.
1217 [TC-TEST] Jinmei, T., "Thread "RFC2181 section 9.1: TC bit
1218 handling and additional data" on DNSEXT mailing list,
1219 Message-
1220 Id:y7vek9j9hyo.wl%jinmei@isl.rdc.toshiba.co.jp", August
1221 1, 2005, <http://ops.ietf.org/lists/namedroppers/
1222 namedroppers.2005/msg01102.html>.
1224 [WIP-AD2005] Aoun, C. and E. Davies, "Reasons to Move NAT-PT to
1225 Experimental", Work in Progress, October 2005.
1227 [WIP-DC2005] Durand, A. and T. Chown, "To publish, or not to
1228 publish, that is the question", Work in Progress,
1229 October 2005.
1234 Durand, et al. Informational [Page 22]
1235 \f
1236 RFC 4472 Considerations with IPv6 DNS April 2006
1239 [WIP-H2005] Huston, G., "6to4 Reverse DNS Delegation
1240 Specification", Work in Progress, November 2005.
1242 [WIP-J2006] Jeong, J., "IPv6 Router Advertisement Option for DNS
1243 Configuration", Work in Progress, January 2006.
1245 [WIP-LB2005] Larson, M. and P. Barber, "Observed DNS Resolution
1246 Misbehavior", Work in Progress, February 2006.
1248 [WIP-O2004] Ohta, M., "Preconfigured DNS Server Addresses", Work in
1249 Progress, February 2004.
1251 [WIP-R2006] Roy, S., "IPv6 Neighbor Discovery On-Link Assumption
1252 Considered Harmful", Work in Progress, January 2006.
1254 [WIP-RDP2004] Roy, S., Durand, A., and J. Paugh, "Issues with Dual
1255 Stack IPv6 on by Default", Work in Progress, July 2004.
1257 [WIP-S2005a] Stapp, M., "The DHCP Client FQDN Option", Work in
1258 Progress, March 2006.
1260 [WIP-S2005b] Stapp, M., "A DNS RR for Encoding DHCP Information
1261 (DHCID RR)", Work in Progress, March 2006.
1263 [WIP-S2005c] Senie, D., "Encouraging the use of DNS IN-ADDR
1264 Mapping", Work in Progress, August 2005.
1266 [WIP-SV2005] Stapp, M. and B. Volz, "Resolution of FQDN Conflicts
1267 among DHCP Clients", Work in Progress, March 2006.
1290 Durand, et al. Informational [Page 23]
1291 \f
1292 RFC 4472 Considerations with IPv6 DNS April 2006
1295 Appendix A. Unique Local Addressing Considerations for DNS
1297 Unique local addresses [RFC4193] have replaced the now-deprecated
1298 site-local addresses [RFC3879]. From the perspective of the DNS, the
1299 locally generated unique local addresses (LUL) and site-local
1300 addresses have similar properties.
1302 The interactions with DNS come in two flavors: forward and reverse
1303 DNS.
1305 To actually use local addresses within a site, this implies the
1306 deployment of a "split-faced" or a fragmented DNS name space, for the
1307 zones internal to the site, and the outsiders' view to it. The
1308 procedures to achieve this are not elaborated here. The implication
1309 is that local addresses must not be published in the public DNS.
1311 To facilitate reverse DNS (if desired) with local addresses, the stub
1312 resolvers must look for DNS information from the local DNS servers,
1313 not, e.g., starting from the root servers, so that the local
1314 information may be provided locally. Note that the experience of
1315 private addresses in IPv4 has shown that the root servers get loaded
1316 for requests for private address lookups in any case. This
1317 requirement is discussed in [RFC4193].
1319 Appendix B. Behavior of Additional Data in IPv4/IPv6 Environments
1321 DNS responses do not always fit in a single UDP packet. We'll
1322 examine the cases that happen when this is due to too much data in
1323 the Additional section.
1325 B.1. Description of Additional Data Scenarios
1327 There are two kinds of additional data:
1329 1. "critical" additional data; this must be included in all
1330 scenarios, with all the RRsets, and
1332 2. "courtesy" additional data; this could be sent in full, with only
1333 a few RRsets, or with no RRsets, and can be fetched separately as
1334 well, but at the cost of additional queries.
1336 The responding server can algorithmically determine which type the
1337 additional data is by checking whether it's at or below a zone cut.
1339 Only those additional data records (even if sometimes carelessly
1340 termed "glue") are considered "critical" or real "glue" if and only
1341 if they meet the above-mentioned condition, as specified in Section
1342 4.2.1 of [RFC1034].
1346 Durand, et al. Informational [Page 24]
1347 \f
1348 RFC 4472 Considerations with IPv6 DNS April 2006
1351 Remember that resource record sets (RRsets) are never "broken up", so
1352 if a name has 4 A records and 5 AAAA records, you can either return
1353 all 9, all 4 A records, all 5 AAAA records, or nothing. In
1354 particular, notice that for the "critical" additional data getting
1355 all the RRsets can be critical.
1357 In particular, [RFC2181] specifies (in Section 9) that:
1359 a. if all the "critical" RRsets do not fit, the sender should set
1360 the TC bit, and the recipient should discard the whole response
1361 and retry using mechanism allowing larger responses such as TCP.
1363 b. "courtesy" additional data should not cause the setting of the TC
1364 bit, but instead all the non-fitting additional data RRsets
1365 should be removed.
1367 An example of the "courtesy" additional data is A/AAAA records in
1368 conjunction with MX records as shown in Section 4.4; an example of
1369 the "critical" additional data is shown below (where getting both the
1370 A and AAAA RRsets is critical with respect to the NS RR):
1372 child.example.com. IN NS ns.child.example.com.
1373 ns.child.example.com. IN A 192.0.2.1
1374 ns.child.example.com. IN AAAA 2001:db8::1
1376 When there is too much "courtesy" additional data, at least the non-
1377 fitting RRsets should be removed [RFC2181]; however, as the
1378 additional data is not critical, even all of it could be safely
1379 removed.
1381 When there is too much "critical" additional data, TC bit will have
1382 to be set, and the recipient should ignore the response and retry
1383 using TCP; if some data were to be left in the UDP response, the
1384 issue is which data could be retained.
1386 However, the practice may differ from the specification. Testing and
1387 code analysis of three recent implementations [TC-TEST] confirm this.
1388 None of the tested implementations have a strict separation of
1389 critical and courtesy additional data, while some forms of additional
1390 data may be treated preferably. All the implementations remove some
1391 (critical or courtesy) additional data RRsets without setting the TC
1392 bit if the response would not otherwise fit.
1394 Failing to discard the response with the TC bit or omitting critical
1395 information but not setting the TC bit lead to an unrecoverable
1396 problem. Omitting only some of the RRsets if all would not fit (but
1397 not setting the TC bit) leads to a performance problem. These are
1398 discussed in the next two subsections.
1402 Durand, et al. Informational [Page 25]
1403 \f
1404 RFC 4472 Considerations with IPv6 DNS April 2006
1407 B.2. Which Additional Data to Keep, If Any?
1409 NOTE: omitting some critical additional data instead of setting the
1410 TC bit violates a 'should' in Section 9 of RFC2181. However, as many
1411 implementations still do that [TC-TEST], operators need to understand
1412 its implications, and we describe that behavior as well.
1414 If the implementation decides to keep as much data (whether
1415 "critical" or "courtesy") as possible in the UDP responses, it might
1416 be tempting to use the transport of the DNS query as a hint in either
1417 of these cases: return the AAAA records if the query was done over
1418 IPv6, or return the A records if the query was done over IPv4.
1419 However, this breaks the model of independence of DNS transport and
1420 resource records, as noted in Section 1.2.
1422 With courtesy additional data, as long as enough RRsets will be
1423 removed so that TC will not be set, it is allowed to send as many
1424 complete RRsets as the implementations prefers. However, the
1425 implementations are also free to omit all such RRsets, even if
1426 complete. Omitting all the RRsets (when removing only some would
1427 suffice) may create a performance penalty, whereby the client may
1428 need to issue one or more additional queries to obtain necessary
1429 and/or consistent information.
1431 With critical additional data, the alternatives are either returning
1432 nothing (and absolutely requiring a retry with TCP) or returning
1433 something (working also in the case if the recipient does not discard
1434 the response and retry using TCP) in addition to setting the TC bit.
1435 If the process for selecting "something" from the critical data would
1436 otherwise be practically "flipping the coin" between A and AAAA
1437 records, it could be argued that if one looked at the transport of
1438 the query, it would have a larger possibility of being right than
1439 just 50/50. In other words, if the returned critical additional data
1440 would have to be selected somehow, using something more sophisticated
1441 than a random process would seem justifiable.
1443 That is, leaving in some intelligently selected critical additional
1444 data is a trade-off between creating an optimization for those
1445 resolvers that ignore the "should discard" recommendation and causing
1446 a protocol problem by propagating inconsistent information about
1447 "critical" records in the caches.
1449 Similarly, leaving in the complete courtesy additional data RRsets
1450 instead of removing all the RRsets is a performance trade-off as
1451 described in the next section.
1458 Durand, et al. Informational [Page 26]
1459 \f
1460 RFC 4472 Considerations with IPv6 DNS April 2006
1463 B.3. Discussion of the Potential Problems
1465 As noted above, the temptation for omitting only some of the
1466 additional data could be problematic. This is discussed more below.
1468 For courtesy additional data, this causes a potential performance
1469 problem as this requires that the clients issue re-queries for the
1470 potentially omitted RRsets. For critical additional data, this
1471 causes a potential unrecoverable problem if the response is not
1472 discarded and the query not re-tried with TCP, as the nameservers
1473 might be reachable only through the omitted RRsets.
1475 If an implementation would look at the transport used for the query,
1476 it is worth remembering that often the host using the records is
1477 different from the node requesting them from the authoritative DNS
1478 server (or even a caching resolver). So, whichever version the
1479 requestor (e.g., a recursive server in the middle) uses makes no
1480 difference to the ultimate user of the records, whose transport
1481 capabilities might differ from those of the requestor. This might
1482 result in, e.g., inappropriately returning A records to an IPv6-only
1483 node, going through a translation, or opening up another IP-level
1484 session (e.g., a Packet Data Protocol (PDP) context [RFC4215]).
1485 Therefore, at least in many scenarios, it would be very useful if the
1486 information returned would be consistent and complete -- or if that
1487 is not feasible, leave it to the client to query again.
1489 The problem of too much additional data seems to be an operational
1490 one: the zone administrator entering too many records that will be
1491 returned truncated (or missing some RRsets, depending on
1492 implementations) to the users. A protocol fix for this is using
1493 Extension Mechanisms for DNS (EDNS0) [RFC2671] to signal the capacity
1494 for larger UDP packet sizes, pushing up the relevant threshold.
1495 Further, DNS server implementations should omit courtesy additional
1496 data completely rather than including only some RRsets [RFC2181]. An
1497 operational fix for this is having the DNS server implementations
1498 return a warning when the administrators create zones that would
1499 result in too much additional data being returned. Further, DNS
1500 server implementations should warn of or disallow such zone
1501 configurations that are recursive or otherwise difficult to manage by
1502 the protocol.
1514 Durand, et al. Informational [Page 27]
1515 \f
1516 RFC 4472 Considerations with IPv6 DNS April 2006
1519 Authors' Addresses
1521 Alain Durand
1522 Comcast
1523 1500 Market St.
1524 Philadelphia, PA 19102
1525 USA
1527 EMail: Alain_Durand@cable.comcast.com
1530 Johan Ihren
1531 Autonomica
1532 Bellmansgatan 30
1533 SE-118 47 Stockholm
1534 Sweden
1536 EMail: johani@autonomica.se
1539 Pekka Savola
1540 CSC/FUNET
1541 Espoo
1542 Finland
1544 EMail: psavola@funet.fi
1570 Durand, et al. Informational [Page 28]
1571 \f
1572 RFC 4472 Considerations with IPv6 DNS April 2006
1575 Full Copyright Statement
1577 Copyright (C) The Internet Society (2006).
1579 This document is subject to the rights, licenses and restrictions
1580 contained in BCP 78, and except as set forth therein, the authors
1581 retain all their rights.
1583 This document and the information contained herein are provided on an
1584 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1585 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1586 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1587 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1588 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1589 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1591 Intellectual Property
1593 The IETF takes no position regarding the validity or scope of any
1594 Intellectual Property Rights or other rights that might be claimed to
1595 pertain to the implementation or use of the technology described in
1596 this document or the extent to which any license under such rights
1597 might or might not be available; nor does it represent that it has
1598 made any independent effort to identify any such rights. Information
1599 on the procedures with respect to rights in RFC documents can be
1600 found in BCP 78 and BCP 79.
1602 Copies of IPR disclosures made to the IETF Secretariat and any
1603 assurances of licenses to be made available, or the result of an
1604 attempt made to obtain a general license or permission for the use of
1605 such proprietary rights by implementers or users of this
1606 specification can be obtained from the IETF on-line IPR repository at
1607 http://www.ietf.org/ipr.
1609 The IETF invites any interested party to bring to its attention any
1610 copyrights, patents or patent applications, or other proprietary
1611 rights that may cover technology that may be required to implement
1612 this standard. Please address the information to the IETF at
1613 ietf-ipr@ietf.org.
1615 Acknowledgement
1617 Funding for the RFC Editor function is provided by the IETF
1618 Administrative Support Activity (IASA).
1626 Durand, et al. Informational [Page 29]
1627 \f