1 of 13

IPv6-only capable

iterative resolver

1

The University of Tokyo

Momoka Y

momoka.my6@gmail.com

2 of 13

Background

2

We want an IPv6 only iterative resolver

  • Operation of IPv6 only network is increasing. ex) draft-xie-v6ops-framework-md-ipv6only-underlay

  • We (IPv6 enthusiasts) want to operative every application with IPv6. �NO IPv4 !!

  • We want our own recursive name server.

3 of 13

Objectives

The network topology we want to achieve.

The Resolver is inside the IPv6 only network.

The network design outlined in RFC6147 for DNS64.

According to this definition, the name server sits in the center of both IPv4 and IPv6 networks.

In order to run an IPv6-only network, �We aim to concentrate IPv4 operations on NAT64.

Dual Stack Name server

IPv6 only Name server

4 of 13

Issues of an IPv6 iterative resolver failing

IPv6 only recursive name servers fail to work.

example trying to resolve ieee.org.

root-servers

IPv4/IPv6 dual Stack

a0.org.afilias-nst.info.

IPv4/IPv6 dual Stack

ns1.ieee.org.

IPv4 single Stack

IPv6 only iterative resolver

5 of 13

Issues of an IPv6 iterative resolver failing

5

These domain names couldn’t be resolved from a “normal” IPv6 only recursive resolvers

wikipedia.org

yahoo.co.jp

alipay.com

harvard.edu

pixiv.net

ieee.org

Because they use IPv4 only Authoritative name servers

fastly.net

ns.nginx.org.

ns1.naver.jp.

try for yourself with

# dig fastly.net @2001:200:0:1cd1::20

<- an iterative server that only sends IPv6 packets

samsung.com

nginx.org

line.me

intel.com

dell.com

webex.com

A records answered (%)

AAAA records answered (%)

Resolvign with IPv4

91.2

23.2

Resolving with IPv6

58.2

21.9

used top 1 million from Tranco list https://tranco-list.eu/ A records answered is not 100% because of subdomains

status: SERVFAIL

IPv6 only resolvers failing

6 of 13

Reference RFC3901 BCP91

4. DNS IPv6 Transport recommended Guidelines

In order to preserve name space continuity, the following

administrative policies are recommended:

- every recursive name server SHOULD be either IPv4-only or dual

stack,

This rules out IPv6-only recursive servers. However, one might

design configurations where a chain of IPv6-only name server

forward queries to a set of dual stack recursive name server

actually performing those recursive queries.

- every DNS zone SHOULD be served by at least one IPv4-reachable

authoritative name server.

This rules out DNS zones served only by IPv6-only authoritative

name servers.

7 of 13

Proposal

7

7

How can we achieve IPv6 only recursive name servers?

There are two ways to achieve this.

  • Change all authoritative name servers so...�Every DNS zone be served by at least one IPv6-reachable authoritative name server

  • Change the IPv6 only recursive name servers implementation so...�An IPv6 only recursive name server utilizes the NAT64 in the network when sending queries to IPv4 only authoritative name servers.

8 of 13

Proposal

8

How can we achieve IPv6 only recursive name servers?

There are two ways to achieve this.

  • Change all authoritative name servers so...�Every DNS zone be served by at least one IPv6-reachable authoritative name server

Giving IPv6-reachability to all authoritative name servers is hard.

  • Change the IPv6 only recursive name servers implementation so...�An IPv6 only recursive name server utilizes the NAT64 in the network when sending queries to IPv4 only authoritative name servers.�We can deploy this IPv6 only recursive name server to an IPv6 only network

9 of 13

How it works

draft-momoka-v6ops-ipv6-only-resolver

  • If the resolver only finds an A record for an authoritative server,
  • The resolver should perform address synthesis to the and make it IPv6.
    • This is done by applying the Pref64::/n to the IPv4 address to construct IPv4-converted IPv6 addresses as defined in RFC6052
  • How to obtain the Pref64::/n of the NAT64
    • The iterative resolver can obtain the Pref64::/n used by the NAT64 of the network by either static configuration or by using discovery mechanisms. (The Port Control Protocol [RFC7225] or Router Advertisements [RFC8781]. Using the mechanisms described in [RFC7050] or [draft-hunek-v6ops-nat64-srv] may not function because these need a resolver to work.)

10 of 13

How it works

10

NAT64

IPv6 Internet

IPv4 Internet

IPv6 network

IPv6 only iterative

resolver

IPv6 Authoritative name server

IPv4 Authoritative name server

11 of 13

Background and Proposal

11

Background:

  • Operation of IPv6 only network is increasing. ex) draft-xie-v6ops-framework-md-ipv6only-underlay
  • We (an IPv6 enthusiast) want to operative every application with IPv6. NO IPv4 !!
  • We want our own recursive name server.
  • However “every recursive name server SHOULD be either IPv4-only or dual stack”�RFC3901 BCP91

Proposal:

  • The networking community should normalize IPv6 only iterative resolvers.
  • As a stepping stone we propose IPv6 only resolver under NAT64

12 of 13

Implementations

Not yet merged changes.

BIND

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6334/commits

Unbound

https://github.com/NLnetLabs/unbound/issues/721

13 of 13

Propose draft-momoka-v6ops-ipv6-only-resolver

Abstract:

By performing IPv4 to IPv6 translation, IPv6-only iterative resolvers

can operate in an IPv6-only environment. When a specific DNS zone is

only served by an IPv4-only authoritative server, the iterative

resolver will translate the IPv4 address to IPv6 to access the

authoritative server's IPv4 address via NAT64. This mechanism allows

IPv6-only iterative resolvers to initiate communications to IPv4-only

authoritative servers.

in progress at

https://datatracker.ietf.org/doc/draft-momoka-v6ops-ipv6-only-resolver/

Feedback is highly appreciated!