On topic, one of the biggest problems with dual-stack co-existence is a "you can't get there from here" problem that causes intermittent (and sometimes permanent) DNS failures.
A fairly typical case: a domain (example.com) which is delegated to an IPv4-only nameserver (ns1.example.com). (Assume one nameserver for simplicity of explanation; always use at least two in the real world.) A subdomain (ad.example.com) which is delegated to a dual-stack nameserver (Windows Server 2008 R2, for example, and let's call it dc.ad.example.com). A IPv6-capable client (e.g. any Windows Vista or Windows 7 or Mac OS X or most Linuxes) attempting to resolve host.ad.example.com will recurse to ns1.example.com, which will provide the referral along with the IPv4 glue records for dc.ad.example.com (remember, ns1.example.com is NOT dual-stack). A fairly typical client resolver will then do some sanity checking, and obtain more details from dc.ad.example.com before sending the ultimate A query for host.ad.example.com. At this point, dc.ad.example.com reports *its own* IPv6 address to the IPv6-enabled client, even though they're still speaking IPv4.
Can anyone guess what happens next?
One of two scenarios, non-deterministically (AFAIK): 1. The resolver client suddenly decides to talk IPv6 to the authoritative nameserver "dc.ad.example.com", since it now knows its AAAA record, and IPv6 is obviously a better protocol, right?, fails to contact the nameserver over IPv6 and decides said nameserver is dead, and returns an ENOTFOUND or something similar to the requesting application. 2. The resolver client maintains its temporary cache of the nameserver's IPv4 address, and successfully obtains both A and AAAA records (again, this is typical for a gethostbyname() call) for the ultimate destination of host.ad.example.com. Then the application attempts to open a socket... which the OS happily attempts to do using IPv6.
This all works great as long as there is IPv6 connectivity between the client resolver, the authoritative nameserver, AND the destination host. If there isn't, then you've just blackholed your subdomain, just by turning on IPv6. Surprise!
I'm told this is a very common problem in the IPv6 early-adopter world, and there is no solution for it yet. One partial solution is to use static IPv6 addresses in the 4to6-transition style (where the IPv4 address is embedded in the last 4 bytes of the IPv6 address), apparently many client IP stacks treat those semi-magically. I don't understand the details of that yet, but IMHO that kind of invalidates the whole point of turning on IPv6 in the first place...
-Adam
-----Original Message----- From: roundtable-bounces@muug.mb.ca [mailto:roundtable- bounces@muug.mb.ca] On Behalf Of Sean Cody Sent: Thursday, May 12, 2011 16:38 To: Continuation of Round Table discussion Subject: Re: [RndTbl] IPv6
Almost on cue... O'Reilly's ebook deal today is "DNS and Bind on IPv6."
-- Sean (mobile)
On 2011-05-12, at 11:37 AM, "Gilbert E. Detillieux" gedetil@cs.umanitoba.ca wrote:
As an example of how things can be more complicated than might
seem at
first, consider setting up an e-mail server with the usual raft of anti-spam measures...
admins-need-
to-know/143080
Oh yeah, we tend to look up those client addresses a fair bit to determine the client's reputation... When will all that work well under IPv6?
In any case, I'm hoping to spend part of my summer at work reading up on IPv6, and starting a few LAN-based experiments. No word yet on when the UofM will have its router infrastructure IPv6-ready, though.
Maybe Adam and I can compare notes in the fall, and see if either of us is ready to present something on the topic.
Gilbert
On 2011-05-11 20:02, Adam Thompson wrote:
Unfortunately, no-one is willing to be the bad guy in that story... Not
even a *country* can really pull it off.
Think about how many non-IPv6-capable devices there are out there:
virtually every single home router, printer, modem, camera, etc.
Now as soon as a flag day is declared, the self-entitled of the world
will rise up and say to their government, "who's going to pay for my new equipment?" Never mind that we've all known this day would come for over 10 years...
On the other hand, I might turn out to be the first who actually has to
manage a dual-stack network... and be willing to talk about it, anyway. Assuming I'm not on powerful drugs as a result of doing so! Holy **** does it get complicated!
-Adam
Trevor Cordestrevor@tecnopolis.ca wrote:
On 2011-05-11 Sean Cody wrote:
Anyone have an interest or are is implementing ipv6 anywhere?
An intro to ipv6 would be a great presentation topic so if you can share your experience, please do!
Seconded. But don't look at me.
Does anyone know when home ISP's like Shaw will start to offer IPv6 to home users? I don't think v6 will go anywhere until the ISP's with their massive IP pools start switching end users to it. Correct?
All of this 6-to-4 stuff seems stupid and overly complex. I would like to just see a day picked where 4 is shutoff and only 6 can be
used.
We'll all be !@$#%ing our pants for a few days/weeks but then it'll be done.
-- Gilbert E. Detillieux E-mail: gedetil@muug.mb.ca Manitoba UNIX User Group Web: http://www.muug.mb.ca/ PO Box 130 St-Boniface Phone: (204)474-8161 Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609 _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable