1
0
Fork 0

Publish forgetting-dns6

blog
LEdoian 10 months ago
parent d906a7cfee
commit 947ced8a0c

@ -2,13 +2,13 @@ Do not forget about IPv6 DNS
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
:slug: forgetting-dns6
:date: 2023-10-28 23:31
:date: 2024-01-24 03:20
:tags: ipv6-only, dns
:category: networking
:keywords: dns, ipv6, deployment, bug
:lang: en
:translation: false
:status: draft
:status: published
Do you think IPv6-only internet works OK? I am going to tell you that it does
not, but it is not immediately visible. TL;DR: The internet can be broken also
@ -64,8 +64,8 @@ Enter DNS
Our picture has one unexplored magic box: the DNS. As per the definition (which
I just made up and was not bothered to even fully formulate):
> yada yada distributed database of records attached to the strings domain
names. The records hold various information about the domain depending on the type.
yada yada distributed database of records attached to the strings domain
names. The records hold various information about the domain depending on the type.
There are three interesting types of records: A records give IPv4 addresses,
AAAA give IPv6 addresses and NS give names of servers who know about the
@ -83,7 +83,8 @@ so when resolving we need *two* queries for each layer (very simplified):
first we ask for the final domain (``blog.ledoian.cz``) and get a NS record
(when the server does not have the answer) and then we need to ask for the A or
AAAA record of the name from that record, so that we can connect to the server
mentioned in the NS record.
mentioned in the NS record. (This allows a nameserver to be made redundant
and/or reside on other types of network.)
You might start to see the issue. When the DNS was just a black box, we could
paint the whole picture green and call it a day. And from the regular user's
@ -289,7 +290,7 @@ Amusing bug of almost good deployment
We have seen there may be multiple NS records for a domain and thus
multiple nameservers. This is good for redundancy. But this does not mean that
the servers will have the same records they are only supposed to give
equivalent answers.
equivalent answers (as far as I know).
I have come across a silly misconfiguration: a domain which has several
nameservers, which serve a *slightly* different set of NS records for its
@ -299,7 +300,7 @@ subdomain, which, incidentally, was the *only* one that was IPv6-capable.
So, while all the correct records were present in DNS (somewhat/somewhere), this still
meant that IPv6-only resolution was doomed to fail because the IPv6 nameserver
chain was broken.
chain was broken. (This has already been fixed.)
-----

Loading…
Cancel
Save