Question about "proper" way to run v6/v4 website

Doug Barton dougb at dougbarton.us
Wed May 2 08:05:41 CEST 2007 

Niels Bakker wrote:
> * dougb at dougbarton.us (Doug Barton) [Tue 01 May 2007, 23:47 CEST]:
>> On Tue, 1 May 2007, Gert Doering wrote:
> [..]
>>> Specific example: if our customers use our recursive DNS service, our 
>>> DNS *will* use v6 queries (if the target DNS server has v6 
>>> connectivity), but about 95% of our customers do not have v6 
>>> connectivity yet, so they would not be able to reach the destination.
>>
>> Since you and Matyas had basically the same question, I'll chose this 
>> one to respond to. I actually have an answer to your question, but 
>> first I have a question for you. What operational goal are you trying 
>> to accomplish by configuring your DNS in that way? And no, this is not 
>> a theoretical question. We are, as has been stated before, in a 
>> transition period, and the transition isn't going to go any further 
>> than it has (which isn't much) if we can't come up with real solutions 
>> to the problems people are currently experiencing.
> 
> It seems like a no-brainer to me to configure a nameserver to have the 
> ability to query using both address families as both are being used on 
> the Internet today.

Pardon what will seem like a trite and pointed response, because it's 
not intended to be either. IMO people failing to use their brains in 
reasonable and appropriate ways is how we got into the mess we're in 
to start with. What I'm trying to do is answer the OP's original 
query, which, whether he knows it or not, is among a very short list 
of crucial questions that WE NEED TO FIND ANSWERS TO if we're going to 
actually move IPv6 from "experimental" to "useful" (never mind 
"mission critical" as IPv4 is currently). Because right now, quite 
frankly, it ain't all that useful. Clever, sure. But right now, 
running a v6-capable operating system is much more likely to cause you 
problems than benefit, and running v6-enabled services is guaranteed 
to cause you more problems than benefit, so it's about time we stopped 
waving our hands and started looking for ways out of the twisty maze 
of passages.

So I'll ask the question again. What operational goal are you 
servicing by enabling v4-only clients to query a name server that does 
v6 queries?

> Responding with different answers in the face of a forwarding chain of 
> unknown length sounds like a bad idea. 

Then let's talk about WHY you think it's a bad idea, and more 
importantly, why you think that what I'm proposing is worse than the 
standard answer of "throw all the records into the same DNS and let 
God sort them out." With what I'm proposing, no client gets an AAAA 
record as an answer unless there is at least v6 involved SOMEWHERE in 
the chain. While it is obviously not a panacea (and I did not suggest 
that it was) I can't help believing that it's an improvement to the 
status quo. Please demonstrate in concrete terms how I am wrong.

> The same reason applies to 
> answering differently based on source IPv4 address:

Actually I think you're misapplying the analogy here for at least two 
reasons off the top of my head. The most important reason being that 
by acting deterministically on the basis of receiving a query over v6, 
we're not guessing at anything. (The other reason is that at least one 
company has made a multi-billion dollar business out of "guessing" 
things about your traffic based on your IP address.)

> not everybody uses 
> the nameserver closest to them (think e.g. of corporate VPNs of 
> enterprises spanning multiple countries).

Yes, I'm familiar with those issues, I used to manage exactly that 
kind of network (although I tended to favor local resolvers, but I 
digress).

BTW, there is at least one other problem with what I proposed that no 
one has mentioned yet, what about clients that are v6-capable behind a 
resolving name server that isn't? But I think my main point is still 
valid. WHILE WE ARE IN THIS TRANSITION PERIOD, how can we make 
migration to v6 traffic simpler, and more transparent than it is now?

Doug

-- 
     If you're never wrong, you're not trying hard enough

More information about the ipv6-ops mailing list