From 947ced8a0c1f1a1a38ce588e3166d93148c4160c Mon Sep 17 00:00:00 2001 From: Pavel 'LEdoian' Turinsky Date: Wed, 24 Jan 2024 03:10:56 +0100 Subject: [PATCH] Publish forgetting-dns6 --- content/forgetting-dns6.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/content/forgetting-dns6.rst b/content/forgetting-dns6.rst index b92ae60..7726c83 100644 --- a/content/forgetting-dns6.rst +++ b/content/forgetting-dns6.rst @@ -2,13 +2,13 @@ Do not forget about IPv6 DNS @@@@@@@@@@@@@@@@@@@@@@@@@@@@ :slug: forgetting-dns6 -:date: 2023-10-28 23:31 +:date: 2024-01-24 03:20 :tags: ipv6-only, dns :category: networking :keywords: dns, ipv6, deployment, bug :lang: en :translation: false -:status: draft +:status: published Do you think IPv6-only internet works OK? I am going to tell you that it does not, but it is not immediately visible. TL;DR: The internet can be broken also @@ -64,8 +64,8 @@ Enter DNS Our picture has one unexplored magic box: the DNS. As per the definition (which I just made up and was not bothered to even fully formulate): -> yada yada distributed database of records attached to the strings – domain -names. The records hold various information about the domain depending on the type. + yada yada distributed database of records attached to the strings – domain + names. The records hold various information about the domain depending on the type. There are three interesting types of records: A records give IPv4 addresses, AAAA give IPv6 addresses and NS give names of servers who know about the @@ -83,7 +83,8 @@ so when resolving we need *two* queries for each layer (very simplified): first we ask for the final domain (``blog.ledoian.cz``) and get a NS record (when the server does not have the answer) and then we need to ask for the A or AAAA record of the name from that record, so that we can connect to the server -mentioned in the NS record. +mentioned in the NS record. (This allows a nameserver to be made redundant +and/or reside on other types of network.) You might start to see the issue. When the DNS was just a black box, we could paint the whole picture green and call it a day. And from the regular user's @@ -289,7 +290,7 @@ Amusing bug of almost good deployment We have seen there may be multiple NS records for a domain and thus multiple nameservers. This is good for redundancy. But this does not mean that the servers will have the same records – they are only supposed to give -equivalent answers. +equivalent answers (as far as I know). I have come across a silly misconfiguration: a domain which has several nameservers, which serve a *slightly* different set of NS records for its @@ -299,7 +300,7 @@ subdomain, which, incidentally, was the *only* one that was IPv6-capable. So, while all the correct records were present in DNS (somewhat/somewhere), this still meant that IPv6-only resolution was doomed to fail because the IPv6 nameserver -chain was broken. +chain was broken. (This has already been fixed.) -----