To:
Randy Bush <randy@psg.com>
Cc:
Jim Bound <seamus@bit-net.com>, users@ipv6.org, dns op wg <dnsop@cafax.se>, ngtrans@sunroof.eng.sun.com
From:
"Perry E. Metzger" <perry@wasabisystems.com>
Date:
18 Jan 2001 01:24:42 -0500
In-Reply-To:
Randy Bush's message of "Wed, 17 Jan 2001 22:10:29 -0800"
Sender:
owner-dnsop@cafax.se
Subject:
Re: IPv6 dns
Randy Bush <randy@psg.com> writes: > i think this discussion was played in the dnsop meeting in san diego. > > > The situation is fairly simple. A lot of us would like to be able to > > deploy v6 only hardware, without depending on v4 translator boxes in > > various places. > > so how will you get dns resolution for, e.g., psg.com? Over v6 only transport, you couldn't -- yet. Eventually, I'd do a v6 transport query to . for .com, do a v6 query to the ns'es for .com for psg.com, etc. The point is, though, we're going to need the roots to have v6 addresses and accept requests over v6 transport sooner or later. > > Now you may argue (reasonably) that you also need lots of other hosts > > further along in the DNS server hierarchy running v6 as well, and > > you're right -- but that doesn't lessen the argument for why some of > > us want roots running v6 transport deployed. > > i believe the point was, given that it is believed to be unsafe to deploy a > rogue root server that is actually used, or at least it needs further study, > that maybe you can conduct testing that v6 dns servers work a bit lower in > the dns hierarchy just as usefully. Why do a rogue server? Why not just have the existing root operators deploy v6 transport capable root servers that are official? If you feel that it is too risky to do that on the existing hardware because of concerns about less well tested software revisions, for the moment you can use new hardware in parallel -- no one will notice, and the load is likely to be miniscule at the moment so it is okay if the v6 machines aren't quite so performant. Note that I'm not suggesting "rogue" root servers in parallel -- I'm suggesting that the folks running the existing servers operate these, and only until they feel more comfortable with the stability of things like Bind v9 and the revs of the OSes that do v6 and such. > during that time, you have a nice window to explain what you really want to > test at the root, I don't want to test. I want to use. I've already got v6 deployed on my own networks. Half the time when I move a file around or remote log in I have no clue if it is going over v6 or v4. This isn't an experimental protocol any more. A year ago it was different -- a year ago I couldn't actually "eat my own dogfood" -- but now that's totally changed. v6 is now thoroughly usable. The time for tests is over. It is time to deploy. The problem is that we've got things that are still missing. v6 transport reachable root servers are one of them. On the DNS side, there isn't much of an experiment to be done here -- we know you can encapsulate DNS messages in v6 datagrams. > and folk can look at constructing a prudent and documented experiment. I would ask you to state a reason (other than possible expense) why having a couple of "clone servers" run and administered by the same folks running the current roots but on the 6bone and accepting requests over v6 transport could cause an operational problem. What is it, exactly, that we're fearing here? The only thing I can think of is (possible) visibility in caches of A6 records for the roots by resolvers that would crash if they saw them. If that's really going to destroy the internet and we're never going to face it, we might as well just give up on deploying v6 right now, because we'll have to deal with those things sooner or later. -- Perry E. Metzger perry@wasabisystems.com -- Quality NetBSD CDs, Support & Service. http://www.wasabisystems.com/