|
|
|
|
@ -2,13 +2,13 @@ Do not forget about IPv6 DNS
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
|
|
|
|
|
|
:slug: forgetting-dns6
|
|
|
|
|
:date: 2023-10-28 23:31
|
|
|
|
|
:date: 2024-01-24 03:20
|
|
|
|
|
:tags: ipv6-only, dns
|
|
|
|
|
:category: networking
|
|
|
|
|
:keywords: dns, ipv6, deployment, bug
|
|
|
|
|
:lang: en
|
|
|
|
|
:translation: false
|
|
|
|
|
:status: draft
|
|
|
|
|
:status: published
|
|
|
|
|
|
|
|
|
|
Do you think IPv6-only internet works OK? I am going to tell you that it does
|
|
|
|
|
not, but it is not immediately visible. TL;DR: The internet can be broken also
|
|
|
|
|
@ -64,8 +64,8 @@ Enter DNS
|
|
|
|
|
Our picture has one unexplored magic box: the DNS. As per the definition (which
|
|
|
|
|
I just made up and was not bothered to even fully formulate):
|
|
|
|
|
|
|
|
|
|
> yada yada distributed database of records attached to the strings – domain
|
|
|
|
|
names. The records hold various information about the domain depending on the type.
|
|
|
|
|
yada yada distributed database of records attached to the strings – domain
|
|
|
|
|
names. The records hold various information about the domain depending on the type.
|
|
|
|
|
|
|
|
|
|
There are three interesting types of records: A records give IPv4 addresses,
|
|
|
|
|
AAAA give IPv6 addresses and NS give names of servers who know about the
|
|
|
|
|
@ -83,7 +83,8 @@ so when resolving we need *two* queries for each layer (very simplified):
|
|
|
|
|
first we ask for the final domain (``blog.ledoian.cz``) and get a NS record
|
|
|
|
|
(when the server does not have the answer) and then we need to ask for the A or
|
|
|
|
|
AAAA record of the name from that record, so that we can connect to the server
|
|
|
|
|
mentioned in the NS record.
|
|
|
|
|
mentioned in the NS record. (This allows a nameserver to be made redundant
|
|
|
|
|
and/or reside on other types of network.)
|
|
|
|
|
|
|
|
|
|
You might start to see the issue. When the DNS was just a black box, we could
|
|
|
|
|
paint the whole picture green and call it a day. And from the regular user's
|
|
|
|
|
@ -289,7 +290,7 @@ Amusing bug of almost good deployment
|
|
|
|
|
We have seen there may be multiple NS records for a domain and thus
|
|
|
|
|
multiple nameservers. This is good for redundancy. But this does not mean that
|
|
|
|
|
the servers will have the same records – they are only supposed to give
|
|
|
|
|
equivalent answers.
|
|
|
|
|
equivalent answers (as far as I know).
|
|
|
|
|
|
|
|
|
|
I have come across a silly misconfiguration: a domain which has several
|
|
|
|
|
nameservers, which serve a *slightly* different set of NS records for its
|
|
|
|
|
@ -299,7 +300,7 @@ subdomain, which, incidentally, was the *only* one that was IPv6-capable.
|
|
|
|
|
|
|
|
|
|
So, while all the correct records were present in DNS (somewhat/somewhere), this still
|
|
|
|
|
meant that IPv6-only resolution was doomed to fail because the IPv6 nameserver
|
|
|
|
|
chain was broken.
|
|
|
|
|
chain was broken. (This has already been fixed.)
|
|
|
|
|
|
|
|
|
|
-----
|
|
|
|
|
|
|
|
|
|
|
