[dns-operations] Signaling client protocol to authority

Mark Andrews marka at isc.org
Mon Jan 17 02:56:34 UTC 2011


In message <5F38D25F-2A06-44E5-AA29-0F82EE29C7CC at ianai.net>, "Patrick W. Gilmore" 
writes:
> On Jan 16, 2011, at 2:38 PM, Paul Vixie wrote:
> 
> >> From: "Patrick W. Gilmore" <patrick at ianai.net>
> >> Date: Sun, 16 Jan 2011 13:46:26 -0500
> >> 
> >> The problem is end users who have no v6 connectivity ask for quad-A,
> >> and they do it over v4.
> > 
> > then they should stop doing that.
> 
> Lest you think otherwise, I wholeheartedly agree.
> 
> They should also properly randomize their ephemeral ports.  They should also pra
> ctice BCP38, stop spamming, and lots of other things.  Unfortunately, none of th
> at is likely to happen today, so I work against spammers (I hear you've done som
> e work on that yourself, Paul), protect against spoof'ed source DoS attacks, etc
> .
> 
> By the same token, not everyone does v6 properly today.  Or likely for quite a w
> hile in the future either.
> 
> 
> >> As I explained earlier, if they ask for a quad-A over v6, it is far
> >> more likely they can actually reach the web server over v6.
> > 
> > getting from where we are to an all-ipv6 world is going to be hard for
> > a lot of people but it's where we are going and i'd like very much to
> > stop messing around with half measures on getting there.
> > 
> > and the converse case does not obtain, anyway.  those who ask for AAAA
> > over ipv4 do not nec'ily lack ipv6 connectivity they probably just got
> > a bunch of ipv4-only recursives assigned to them in dhcp.  those who
> > ask for A first and then AAAA likewise aren't predictably lacking in
> > ipv6 connectivity.  we should not be making assumptions about the 
> > connectivity of a stub based on what questions they ask or using what
> > protocol.
> 
> See previous post about failure modes.
> 
> > everybody just please add AAAA RR's to their web properties, and client
> > side vendors please just stop asking for AAAA RR's you cannot reach.
> 
> If I had a magic wand, I would wave it.
> 
> However, back in reality land, there is no magic wand.  If we can come up with a
> way to ease the transition to 100% v6, which is certain to take many years, I t
> hink that would be a Good Thing.

Actully it is a Bad Thing because it attempts to hide mis-configurations.

> Perhaps you disagree, perhaps you think we should cause as much pain as possible
> until everyone is on v6.  Which is a perfectly valid PoV, just not the one I ho
> ld.  Either way, nothing above is an actual argument against the idea.

Returning AAAA records to applications with no IPv6 connectivity
does no harm.

Returning AAAA records to applications with working IPv6 connectivity
does no harm.

Returning AAAA records to applications with broken IPv6 connectivity
slows things and highlights a problem (good thing).

Failing to return AAAA records to applictions which to PTR to AAAA
mapping checks with working IPv6 connectivity DOES HARM.  Yes, there
are lots of applications that do this for IPv6 whether you believe
one should or not.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list