[dns-operations] glitch on [ip6|in-addr].arpa?

Paul Vixie paul at redbarn.org
Fri Oct 11 18:21:56 UTC 2019

Viktor Dukhovni wrote on 2019-10-10 17:51:
> ...
> It has perhaps not been as well known as it deserves to be.  Perhaps
> additional publicity here (and any other relevant fora), might nudge
> the parties closer to a resolution.  The non-reachability of the
> IPv6 C root from a significant portion of IPv6 space is not a healthy
> situation.

i think there are 13 names each having an A and an AAAA. so, 26 
candidate addresses. most resolvers will try them all and home in on the 
one with the lowest RTT. if one of the 13 it tries via IPv6 doesn't 
answer, it won't affect operations. in fact, one or more are unreachable 
from random places almost always, and the system is designed with that 
in mind. (for example, the use of UDP means unreliability is in-scope.)

> The error is immediately apparent via DNSViz:
>      https://dnsviz.net/d/root/dnssec/

in the earlier days of DNS-OARC (where dnsviz migrated to recently), 
there was a server at cogent, which was not reachable over IPv6 from 
users are hurricane. i don't remember anybody blaming hurricane for 
this, which is why it seems odd to blame cogent today when DNS-OARC is 
hosted at hurricane. hurricane has transit for their IPv4 network but 
not for their IPv6 network. cogent's peering policy isn't fully "open." 
it's hard for me to see that either of them is "in the wrong."

P Vixie

More information about the dns-operations mailing list