Thoughts about ipv6 white listing

Sun Dec 5 00:56:44 CET 2010

> 
> This seems to be the fundamental mistake.

No, it isn't a mistake because in this case (people just don't seem to
listen to this part) I know that the dns server and the client are in
the same network.  I *know* that the client is using the DNS server it
got from DHCP.  They are on the same network.

> If an AAAA request arrives by v6, all you know is "the client asked
for
> AAAA, and the recursor has v6".

Correct.  But I also know that all 2,000,000 clients on that network are
using the same network and the same DNS servers, so if it breaks for
one, it breaks for all, it becomes immediately obvious and can be
immediately rolled back.  In this case it is an all or nothing
proposition.  There really aren't any "corner cases".

> You don't know *anything* about the availability and/or brokenness of
> v6 at the client end.

Not true.  If the DNS server is on the same network as the client and if
the DNS server can reach me, I have >50% confidence that the client can,
too.  If it can't, I pull the AAAA resource, notify the remote network,
and they can fix their stuff.  In practice, this would be rolled out
during a conference call with the remote network so we would see it
breaking or not immediately.  

So quoting from the recent draft on white listing:

These web site operators observed that when
   they added AAAA RRs to their authoritative DNS servers that a small
   fraction of end users had slow or otherwise impaired access to a
   given web site with both AAAA and A RRs.  The fraction of users with
   such impaired access has been estimated to be roughly 0.078% of total
   Internet users

So generally, across the Internet 0.078% of people would have a problem
if rolled out directly.  In my case, I am not serving the "general
internet" population.  I am serving specific networks communicating with
me across the Internet.  In my case, when I roll out a resource, it
isn't going to be a case of 0.078% of the users possibly having a
problem, it is going to be either 100% of the users of that resource
having a problem or 0% of the users having a problem.

And honestly, at some point for some resources, we might be willing to
live with the 0.078% number for certain resources.  If we get 10,000
unique visitors to some global resource in one day, then about 8 of
those will be "slow" or otherwise "impaired". Over the coming 12 months,
that 0.078% number is probably going to decline even more as more
networks get v6 working properly.   I also believe that if you "skim"
off those who are connecting via v6 to your DNS servers asking for that
global resource by AAAA record, the number is going to decline greatly
from 0.078% to something vanishingly small.  That is assuming that most
of the 0.078% of problem children are people asking for AAAA records
over v4.  