<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/all.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-01-10T16:47:00+01:00</updated><entry><title>About this blog</title><linkhref="https://blog.ledoian.cz/about-blog.html"rel="alternate"></link><published>2024-01-10T16:47:00+01:00</published><updated>2024-01-10T16:47:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-10:/about-blog.html</id><summarytype="html"><p>This is my blog and this article describes its setup and other details about my
<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/all.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-01-24T03:20:00+01:00</updated><entry><title>Do not forget about IPv6 DNS</title><linkhref="https://blog.ledoian.cz/forgetting-dns6.html"rel="alternate"></link><published>2024-01-24T03:20:00+01:00</published><updated>2024-01-24T03:20:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-24:/forgetting-dns6.html</id><summarytype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the …</p></summary><contenttype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the target is reachable using IPv6.</p>
<div class="section" id="quick-recap">
<h2>Quick recap</h2>
<p>Connecting to a website is easy, right? You type in the name, you get the front page.</p>
<h3>Reaching IPv4 land from IPv6-only</h3>
<p>There are few^H^H^Hmany sites that still only support IPv4. To reach them, we
need someone who can reach both the IPv4- and IPv6-land to go there on our
behalf – a proxy. This proxy can be ad-hoc (I often use <tt class="docutils literal">ssh <span class="pre">-D</span></tt>) or there
are well-known protocols like NAT64 with DNS64 to do that in a standard and
<p class="caption">And now we can reach the whole internet.</p>
</div>
<p>You might already know that you need some workaround like this to reach GitHub.
What I think you might not know, you need similar workaround to reach the Wikipedia.</p>
<p>Disclaimer: I like Wikipedia and this is not meant to shame them, just use as
an example. I am aware of several other sites suffering from the same problem,
including at least one IPv6 test. <a class="footnote-reference" href="#test-aaaa" id="footnote-reference-2">[2]</a> (It would be nice if they added
the missing piece in the puzzle, though.)</p>
</div>
</div>
<div class="section" id="enter-dns">
<h2>Enter DNS</h2>
<p>Our picture has one unexplored magic box: the DNS. As per the definition (which
I just made up and was not bothered to even fully formulate):</p>
<blockquote>
yada yada distributed database of records attached to the strings – domain
names. The records hold various information about the domain depending on the type.</blockquote>
<p>There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses and NS give names of servers who know about the
particular subtree of the database. And to actually resolve the final AAAA
record the (recursive) resolver starts at the <em>root zone</em> and tries to find
the answer. <a class="footnote-reference" href="#dns-simplification" id="footnote-reference-3">[3]</a> The resolution algorithm can be visualised like this:</p>
<p>So, what is the deal. We <em>just</em> need to have a dual-stack DNS resolver
somewhere, and that's it, no? Well, yes but actually yes.</p>
<p>There are two problems with this: First, this means that any new ISP needs to
have <em>at least some</em> IPv4 address, even if they intend to just use IPv6
services. IPv4 addresses are scarce, <a class="reference external" href="https://blog.apnic.net/2021/12/16/opinion-ipv4-address-markets/">expensive</a> and small
new ISP's and from overal routing's point of view. It also hinders IPv6
deployment and postpones IPv4 abandonment, needlessly.</p>
<p>The second issue is that this is not very visible. We are building IPv6 world,
but deep inside it still relies on IPv4, which might lead to great surprise
when we start cutting off IPv4 internet. And it might lead to false sense of
having IPv6 deployed, which is not true to the whole extent.</p>
<p>Insert &quot;It was DNS&quot; meme here.</p>
</div>
<div class="section" id="solution">
<h2>Solution</h2>
<p>The solution of this state is simple: get IPv6 connectivity to your
authoritative DNS server (or use another) and do not forget to add an AAAA
record for it in DNS. If the DNS server already has IPv6 it is probably just
a matter of adding a single line to the zone file (and a second one for the DNSSEC
signature), which should not be a big deal.</p>
<p>Unfortunately, this needs to be done for the whole DNS chain.
Especially domain names at universities are infamous for very nested domains.
A domain name may look like
<tt class="docutils literal"><span class="pre">machine.department.location.faculty.university.some-common.suffix</span></tt>. That
tree is deep and so is the resolution of this problem.</p>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td>This is very much the same as when you try to reach the
IPv4-public-land from IPv4-private-land, that is, from a private range of IP
addresses. This is called either just NAT, or NAT44 to denote IPv4-to-IPv4 NAT.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td>There are several more tests that do not even have the AAAA
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-3">[3]</a></td><td>In my example, there is a single recursive DNS
resolver external to my machine in order not to complicate it too much.
The real deployment is often trickier.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-4">[4]</a></td><td>I have not yet tried to run a recursive DNS in a network
with DNS64 and NAT64. Could be fun :-D My wild guess is that I would need
CLAT (i.e. the full 464XLAT deployment) to make that work, since the
resolver is connecting directly to IPv4 addresses and would need to learn to
use NAT64 to resolve them. (The CLAT could be built right into the resolver,
though).</td></tr>
</tbody>
</table>
</div>
</content><categoryterm="networking"></category><categoryterm="ipv6-only"></category><categoryterm="dns"></category></entry><entry><title>About this blog</title><linkhref="https://blog.ledoian.cz/about-blog.html"rel="alternate"></link><published>2024-01-10T16:47:00+01:00</published><updated>2024-01-10T16:47:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-10:/about-blog.html</id><summarytype="html"><p>This is my blog and this article describes its setup and other details about my
intentions. The actual <a class="reference internal" href="#the-setup">setup</a> is probably the most
intentions. The actual <a class="reference internal" href="#the-setup">setup</a> is probably the most
<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog - networking</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/networking.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-01-24T03:20:00+01:00</updated><entry><title>Do not forget about IPv6 DNS</title><linkhref="https://blog.ledoian.cz/forgetting-dns6.html"rel="alternate"></link><published>2024-01-24T03:20:00+01:00</published><updated>2024-01-24T03:20:00+01:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-01-24:/forgetting-dns6.html</id><summarytype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the …</p></summary><contenttype="html"><p>Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
by forgetting to add AAAA records of the <em>nameservers</em>. This creates IPv4
requirement for the resolving even when the target is reachable using IPv6.</p>
<div class="section" id="quick-recap">
<h2>Quick recap</h2>
<p>Connecting to a website is easy, right? You type in the name, you get the front page.</p>
<h3>Reaching IPv4 land from IPv6-only</h3>
<p>There are few^H^H^Hmany sites that still only support IPv4. To reach them, we
need someone who can reach both the IPv4- and IPv6-land to go there on our
behalf – a proxy. This proxy can be ad-hoc (I often use <tt class="docutils literal">ssh <span class="pre">-D</span></tt>) or there
are well-known protocols like NAT64 with DNS64 to do that in a standard and
<p class="caption">And now we can reach the whole internet.</p>
</div>
<p>You might already know that you need some workaround like this to reach GitHub.
What I think you might not know, you need similar workaround to reach the Wikipedia.</p>
<p>Disclaimer: I like Wikipedia and this is not meant to shame them, just use as
an example. I am aware of several other sites suffering from the same problem,
including at least one IPv6 test. <a class="footnote-reference" href="#test-aaaa" id="footnote-reference-2">[2]</a> (It would be nice if they added
the missing piece in the puzzle, though.)</p>
</div>
</div>
<div class="section" id="enter-dns">
<h2>Enter DNS</h2>
<p>Our picture has one unexplored magic box: the DNS. As per the definition (which
I just made up and was not bothered to even fully formulate):</p>
<blockquote>
yada yada distributed database of records attached to the strings – domain
names. The records hold various information about the domain depending on the type.</blockquote>
<p>There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses and NS give names of servers who know about the
particular subtree of the database. And to actually resolve the final AAAA
record the (recursive) resolver starts at the <em>root zone</em> and tries to find
the answer. <a class="footnote-reference" href="#dns-simplification" id="footnote-reference-3">[3]</a> The resolution algorithm can be visualised like this:</p>
<p>So, what is the deal. We <em>just</em> need to have a dual-stack DNS resolver
somewhere, and that's it, no? Well, yes but actually yes.</p>
<p>There are two problems with this: First, this means that any new ISP needs to
have <em>at least some</em> IPv4 address, even if they intend to just use IPv6
services. IPv4 addresses are scarce, <a class="reference external" href="https://blog.apnic.net/2021/12/16/opinion-ipv4-address-markets/">expensive</a> and small
new ISP's and from overal routing's point of view. It also hinders IPv6
deployment and postpones IPv4 abandonment, needlessly.</p>
<p>The second issue is that this is not very visible. We are building IPv6 world,
but deep inside it still relies on IPv4, which might lead to great surprise
when we start cutting off IPv4 internet. And it might lead to false sense of
having IPv6 deployed, which is not true to the whole extent.</p>
<p>Insert &quot;It was DNS&quot; meme here.</p>
</div>
<div class="section" id="solution">
<h2>Solution</h2>
<p>The solution of this state is simple: get IPv6 connectivity to your
authoritative DNS server (or use another) and do not forget to add an AAAA
record for it in DNS. If the DNS server already has IPv6 it is probably just
a matter of adding a single line to the zone file (and a second one for the DNSSEC
signature), which should not be a big deal.</p>
<p>Unfortunately, this needs to be done for the whole DNS chain.
Especially domain names at universities are infamous for very nested domains.
A domain name may look like
<tt class="docutils literal"><span class="pre">machine.department.location.faculty.university.some-common.suffix</span></tt>. That
tree is deep and so is the resolution of this problem.</p>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td>This is very much the same as when you try to reach the
IPv4-public-land from IPv4-private-land, that is, from a private range of IP
addresses. This is called either just NAT, or NAT44 to denote IPv4-to-IPv4 NAT.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td>There are several more tests that do not even have the AAAA
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-3">[3]</a></td><td>In my example, there is a single recursive DNS
resolver external to my machine in order not to complicate it too much.
The real deployment is often trickier.</td></tr>
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-4">[4]</a></td><td>I have not yet tried to run a recursive DNS in a network
with DNS64 and NAT64. Could be fun :-D My wild guess is that I would need
CLAT (i.e. the full 464XLAT deployment) to make that work, since the
resolver is connecting directly to IPv4 addresses and would need to learn to
use NAT64 to resolve them. (The CLAT could be built right into the resolver,
<pclass="caption">And now we can reach the whole internet.</p>
<pclass="caption">And now we can reach the whole internet.</p>
</div>
</div>
<p>You might already know that you need some workaround like this to reach GitHub.
<p>You might already know that you need some workaround like this to reach GitHub.
@ -93,15 +96,16 @@ the missing piece in the puzzle, though.)</p>
<h2>Enter DNS</h2>
<h2>Enter DNS</h2>
<p>Our picture has one unexplored magic box: the DNS. As per the definition (which
<p>Our picture has one unexplored magic box: the DNS. As per the definition (which
I just made up and was not bothered to even fully formulate):</p>
I just made up and was not bothered to even fully formulate):</p>
<p>> yada yada distributed database of records attached to the strings – domain
<blockquote>
names. The records hold various information about the domain depending on the type.</p>
yada yada distributed database of records attached to the strings – domain
names. The records hold various information about the domain depending on the type.</blockquote>
<p>There are three interesting types of records: A records give IPv4 addresses,
<p>There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses and NS give names of servers who know about the
AAAA give IPv6 addresses and NS give names of servers who know about the
particular subtree of the database. And to actually resolve the final AAAA
particular subtree of the database. And to actually resolve the final AAAA
record the (recursive) resolver starts at the <em>root zone</em> and tries to find
record the (recursive) resolver starts at the <em>root zone</em> and tries to find
the answer. <aclass="footnote-reference"href="#dns-simplification"id="footnote-reference-3">[3]</a> The resolution algorithm can be visualised like this:</p>
the answer. <aclass="footnote-reference"href="#dns-simplification"id="footnote-reference-3">[3]</a> The resolution algorithm can be visualised like this:</p>
