To:
"Randy Bush" <randy@psg.com>, "Bill Manning" <bmanning@isi.edu>
Cc:
<perry@wasabisystems.com>, <seamus@bit-net.com>, <users@ipv6.org>, <dnsop@cafax.se>, <ngtrans@sunroof.eng.sun.com>
From:
"Christian Huitema" <huitema@exchange.microsoft.com>
Date:
Thu, 18 Jan 2001 09:32:27 -0800
content-class:
urn:content-classes:message
Sender:
owner-dnsop@cafax.se
Thread-Index:
AcCBTSquQ7HqEzd3R3K0E2VHfJ50cgAI40Sg
Thread-Topic:
(ngtrans) Re: IPv6 dns
Subject:
RE: (ngtrans) Re: IPv6 dns
OK, let's try a middle ground here. There is a requirement to field IPv6 only machines in the net. To work well, these machines should be able to resolve names by sending DNS requests over IPv6. This means that, in order to resolve a name, these machines should be able to process NS records, find the list of the name servers associated to the domain, and find at least one server in the list that has at least one IPv6 address. Normally, post processing rules should ensure that this is done in a single pass, the A6 or AAAA records being carried as additional information. During a trial, this can be done by operating on a trial subtree for names. Something like <example>.ipv6dns.org. During the transition, however, we want to progressively publish A6 records for the name servers of regular domains. Obviously, any domain manager can do this on their own initiative: for example, Microsoft could add an NS record pointing to a v6 capable server under "microsoft.com". However, this impacts the general infrastructure, since the servers for microsoft.com and their address must be provided by the ".com" server. Randy has a first point there: we have to understand the potential impact of serving A6 records to vanilla .com users; we may have to set up a conservative rule, such as only serving these records if the query for the .com user was received over IPv6. Or maybe we need not be that conservative; but we should try. And, maybe, just maybe, we should not try first with ".com." The same indeed apply for the root itself. If we say that ".com" will only provide A6 records in the additional section if the query was received over IPv6, then we must find a way to publish the IPv6 address of the suitable .com server, and that must be done by the root. Indeed, that must be done by the root for every TLD who wants to enable IPv6. And there are good reasons to be very conservative with the handling of the root service. Randy also asked, what happens if an IPv6 only DNS resolver tries to get information about an IPv4 domain. The obvious answer is to use a dual mode server as proxy. However, this requires some configuration, which Ngtrans should automatize. Now, that would would be a work item for this group... -- Christian Huitema > -----Original Message----- > From: Randy Bush [mailto:randy@psg.com] > Sent: Thursday, January 18, 2001 4:48 AM > To: Bill Manning > Cc: perry@wasabisystems.com; seamus@bit-net.com; users@ipv6.org; > dnsop@cafax.se; ngtrans@sunroof.eng.sun.com > Subject: (ngtrans) Re: IPv6 dns > > > > % an example of a worry is cache poisoning of an antique v4 bind. > > % ---- > > % and there are thousands of vulnerable v4 binds still out there. > > > > One might argue that we have only applied the carrot. > > We still have broken/vulnerable code, some pushing > > 15 years w/o an upgrade. Perhaps its time to apply > > a stick and let folks know that things will stop working > > or won't be the same unless they upgrade. > > there are people who don't think it's prudent engineering to > break the net > to get people to do something. silly things about technical > and social > responsibility now that the net has grown a bit bigger than > boys and their > toys. > > of course there are folk with the opposite opinion. > > randy >