Thoughts about ipv6 white listing

[George Bonser]

> You don't know if the client has IPv6-connectivity, you just know the
> client initiates AAAA-queries. Their really is a big difference here.

Additionally, in a sort of way, it will be rolled out gradually.  ONE resource will be rolled out with AAAA records initially.  That resource will correspond to all clients on one specific remote network (generally in this operation, clients on each remote network connect to a resource on our side dedicated to those clients on that network).  The one chosen first is the one who has already been making the most AAAA requests to our DNS anyway.

So let's say z.com provides services for clients on a.com, b.com, and c.com.  There is a resource at z called a.z.com, b.z.com and c.z.com, each resource corresponds to the clients on those respective networks.  Z notices that b.com clients always make an AAAA request before making an A request.  Z rolls out an ipv6 only name server and notices that the request from b.com begin arriving to the v6 name server (at that point there are still no AAAA records, z is simply handing out the same zone they are handing out over v6).

That is a pretty good (though not 100% conclusive) indication that b.com is v6 ready.  Z then places an AAAA resource in the v6 zone for b.z.com and notices that the client traffic moves from v4 to the v6 resource.  The other possible case is that all traffic from b suddenly disappears. So it pretty much is either going to work or it is going to break.  Doing it this way has not changed service at all for clients on a.com or c.com.  And no resources are moved to AAAA records the v6 dns zone until they start to see requests to the v6 name server for AAAA records.