To:
johani@autonomica.se
cc:
dnsop@cafax.se
From:
Pekka Savola <pekkas@netcore.fi>
Date:
Fri, 8 Feb 2002 12:44:37 +0200 (EET)
In-Reply-To:
<200201241514.KAA23122@ietf.org>
Sender:
owner-dnsop@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsop-v6-name-space-fragmentation-00.txt
I'm not on the list, so please keep Cc:.
On Thu, 24 Jan 2002 Internet-Drafts@ietf.org wrote:
> Title : IPv4-to-IPv6 migration and DNS name space
> fragmentation
> Author(s) : J. Ihren
> Filename : draft-ietf-dnsop-v6-name-space-fragmentation-00.txt
> Pages :
> Date : 23-Jan-02
>
> This memo documents some problems forseen in transitioning from a
> IPv4-only DNS hierarchy via a long period of mixture to an
> IPv6-mostly situation sometime in the future. The mixture period is
> expected to be very long, and hence design choices should very much
> take this into account, rather than just regard the transition as a
> relatively short period of pain.
A few comments.
2. Introduction to the problem of name space fragmentation
With all DNS data only available over IPv4 transport everything is
simple. IPv4 resolvers can use the intended mechanism of following
referrals from the root and down while IPv6 resolvers have to work
through a "translator", i.e. they have to use a second name server
on a so-called "dual stack" host as a "forwarder" since they cannot
access the DNS data directly. This is not a scalable solution.
==> The last sentence is completely false; the truth is exactly the
opposite. This makes an assumption that there would be only a few
"forwarding" servers: IMO, _every ISP_ providing IPv6-only service should
provide this capability. This is very scalable.
4. Policy based avoidance of name space fragmentation.
Today there are only a few DNS "zones" on the public Internet that
are only available over v6 transport, and they can mostly be
regarded as "experimental". However, as soon as there is a root
name server available over v6 transport it is reasonable to expect
that it will become more common with v6-only zones over time.
==> wrong assumption: I don't believe making root v6-enabled makes
v6-_only_ zones any more common. People can shoot themselves in the foot
now, and could then too, of course.
4.2. Zone validation for non-recursive servers.
Non-recursive authoritative servers are name servers that run
without ever asking questions. A change in the zone validation
requirements that force them to query for the addresses of name
servers that are part of delegations in the zone change this, since
they now have to query for these addresses.
However, the main reason that it is important to be able to run
without asking questions is to avoid "caching" possibly bogus
answers. This need can be managed by requiring that a non recursive
name server throw away the looked up address information after
having used it for validation of the delegations in the zone.
==> validation needs only be done when zone is loaded: this does not mean
the records queried (for this specific purpose) will have to be cached --
so I don't see problems here.
4.3. Future requirement of IPv6 address for at least one name server.
The immediate need for clarified policies for delegation is to
ensure that IPv4 name space does not start to fragment. Over time,
however, it is reasonable to expect that it may become important to
add a similar requirement to IPv6 name space.
I.e. an even more refined policy possible at some point in the
future would be:
"Every delegation point should have at least one name server
for the child zone reachable over IPv4 transport (i.e. should
have an A record) and at least one name server reachable over
IPv6 transport (i.e. should have an AAAA record)".
==> in (far) future, I'll expect there will have to be similar kind of
forwarders as now with IPv6; no big deal.
==> I support AAAA records myself but is it sensible to make a "political
statement" here ? :-)
5. Overview of suggested transition method.
By following the steps outlined below it will be possible to
transition without outages or lack of service.
==> this seems to destroy the credibility of this "comparison".
6. How to deploy DNS hierarchy in v6 space.
[...]
c) a way of verififying the correctness of the resulting configuration
==> this was not covered in this draft any further(others were) -- as this
intentional?
6.2. How to deploy DNS data.
[...]
a) identify all name servers that will serve the DNS domain, with
their IPv4 and/or IPv6 addresses
b) arrange for a suitable method of zone synchronization
==> does one need to "dramatize" master/slave zone transfers?
It is recommended that the name servers run on single stack
machines, i.e. machines that are only able to utilize either IPv4
transport or IPv6 transport, but not both.
==> more elaboration why this is good would be nice.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords