To:
randy@psg.com
Cc:
perry@wasabisystems.com, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Havard Eidnes <he@runit.no>
Date:
Fri, 19 Jan 2001 21:47:07 +0100
In-Reply-To:
Your message of "Wed, 17 Jan 2001 22:39:15 -0800"<E14J8j5-000JOh-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: IPv6 dns
Hi, please let me stick my hand into this hornet's nest... On the one hand we have a few people who are afraid that we might cause lossage in oldish software if said software is exposed to new and unknown record types such as AAAA or A6 in additional sections. While no concrete evidence has been presented that specific problems will in fact ensue and NOCs will start getting calls left and right from irate users whose name servers are experiencing untold problems, the spectre of this happening has been sufficiently successfully painted on the wall to cause some people to be (perhaps overly) cautious, and request documentation of what exactly is planned/ requested and "evidence" to be reasonably assured that the above scenario will indeed not happen were the plans to be followed. This group is essentially putting the "burden of proof" on the IPv6 proponents. On the other hand we have some people in the IPv6 crowd who want to deploy IPv6-only hosts, and who wish to use IPv6 as much as possible, including for DNS name resolution. A (perhaps snide) remark could be that it's not obvious (to me at least) whether interaction with the IPv4-only parts of the Internet is part of the requirement set for these hosts. So, how's that for shooting at both parties? ;-) On the "concrete information" front, the current discussion has not brought forth too many fruits, except for: o Mark Andrews saying that based on quick source code perusal, AAAA or A6 records will not be cached by BIND version 4, but that there may be some caveats related to missing TCP query retries. o Itojun informing us that deployment of AAAA has already happened at various places in the DNS tree, and that some registries already handle registration of IPv6-related glue, and that no problems have been observed so far. An argument against Itojun's experiences could be that the set of name servers actually exposed to their IPv6 records is probably quite small. However, how do we get an existance proof that this will indeed not cause problems when deployed in a more "visible" area without actually doing such a deployment? (Nice chicken/egg situation.) I think that at some point you need to make the move. I agree that it would be highly unwise to do an unannounced and undocumented experiment with the root name service, so I agree that whatever is to be done in this area should be properly planned, documented and tested in (relatively) controlled environments (and test experiences documented) before we go ahead with a wider deployment. I think this is all Randy's asking for. Though it is relatively independent of the current discussion it should perhaps be mentioned that many of the old name server versions out there have known security problems (such as being vulnerable to IPv4 cache pollution and susceptible to buffer overrun-related security vulnerabilities), so even if they would not get into any sort of trouble due to more widespread deployment of IPv6 RRs in the DNS it would be a good idea to push for an upgrade of them anyway. I mean, it's not as if these problems have not been known and documented for quite a while... Best regards, - Håvard