ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
a75ec57477e81ffd0d8799652d3cd265f5bba6a4
bind9/doc/draft/draft-ietf-dnsop-v6-name-space-fragmentation-01.txt
Andreas Gustafsson b8b9e2bf5d updated drafts
2002-03-06 19:08:34 +00:00

349 lines
14 KiB
Plaintext
Raw Blame History

Internet Draft Johan Ihren
draft-ietf-dnsop-v6-name-space-fragmentation-01.txt Autonomica AB
March 2002
Expires in six months
IPv4-to-IPv6 migration and DNS namespace fragmentation
Status of this Memo
This memo provides information to the Internet community. It does
no specify an Internet standard of any kind. This memo is still not
in full conformance with all provisions of Section 10 of RFC2026.
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of
Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This memo documents some problems forseen in transitioning from a
IPv4-only DNS hierarchy via a long period of mixture to an
IPv6-mostly situation sometime in the future. The mixture period is
expected to be very long, and hence design choices should very much
take this into account, rather than just regard the transition as a
relatively short period of pain.
The main problem with transition that this paper focus on is what
to do about the namespace fragmentation that may result from
certain DNS data only being available over one type of transport
(i.e. v4 or v6) which is thereby likely unavailable to hosts that
can cannot utilize that transport.
Two orthogonal issues are identified and discussed: deployment and
use. The former while technically simple holds certain dangers that
should be avoided. The "use" (as in performing DNS lookups) is much
more complicated, and a suggested roadmap for this is presented.
1. Terminology
The key words "MUST", "SHALL", "REQUIRED", "SHOULD",
"RECOMMENDED", and "MAY", when used un uppercase, in this document
are to be interpreted as described in RFC 2119 [RFC2119].
The phrase "v4 name server" indicates a name server available over
IPv4 transport. It does not imply anything about what DNS data is
served. Likewise, "v6 name server" indicates a name server
available over IPv6 transport. In general this document only
discuss transport issues and does not care exactly what is
transported.
2. Introduction to the problem of namespace fragmentation
With all DNS data only available over IPv4 transport everything is
simple. IPv4 resolvers can use the intended mechanism of following
referrals from the root and down while IPv6 resolvers have to work
through a "translator", i.e. they have to use a second name server
on a so-called "dual stack" host as a "forwarder" since they cannot
access the DNS data directly. This is not a scalable solution.
With all DNS data only available over IPv6 transport everything
would be equally simple, with the exception of old legacy IPv4 name
servers having to switch to a forwarding configuration.
However, the second situation will not arise in a foreseeable
time. Instead, it is expected that the transition will be from IPv4
only to a mixture of IPv4 and IPv6, with DNS data of theoretically
three types of availability, depending on whether it is available
only over IPv4 transport, only over IPv6 or both.
The latter is the best situation, and a major question is how to
ensure that it as quickly as possible becomes the norm. However,
while it is obvious that some DNS data will only be available over
v4 transport for a long time it is also obvious that it is
important to avoid fragmenting the namespace available to IPv4
only hosts. I.e. during transition it is not acceptable to break
the namespace that we presently have available for IPv4-only hosts.
2.1. Namespace fragmentation vs. unreachability.
Something that is presently not clear is whether it is actually
necessary to provide access to the "Internet namespace" as defined
by what is visble on the public v4 Internet also on v6 transport.
The reason for the unclarity is that if one regards "the Internet"
as the largest set of nodes that have a mutual 1-1 reachability for
any pair of nodes over IP and adjust the "Internet namespace" to
fit this set, then there is by definition no need to bridge or do
any special tricks (since they can all reach each other anyhow).
On the other hand, if we regard "the Internet" as the set of nodes
that share a namespace that we can refer to as "the Internet
namespace" regardless of whether they can all reach each other or
not, then we have to ensure that this namespace is accessible to
every node, regardless of its available transport.
It is out of scope for this document to make a choice between the
two alternatives, and therefore the rest of this document has to
work from the assumption that the same namespace should, if
possible, be made available to all nodes that claim to be part of
the Internet.
3. Consequences of deploying a "IPv6 root name server"
If and when a root name server that is accessible over IPv6
transport is deployed it will immediately for the first time become
possible to change IPv6-only name servers to a "native
configuration", i.e. to a configuration where they follow referrals
directly from the root (which is now accessible to them because of
the v6 transport).
However, initially they will typically quite soon get a referral to
a name server only available over IPv4 transport, and this will be
impossible to follow, since there is no common transport available.
Therefore the name it is trying to lookup will not get resolved and
the result is that the v6-only name server cannot lookup the same
set of domain names that its v4-only counterpart can.
This is fragmentation of the namespace.
Regardless of how this problem is handled it is important to
realize that at first it will only concern the namespace as viewed
from an IPv6-host. I.e. the IPv4 namespace will not (initially) be
fragmented, and an important question is possibly how to keep it
unfragmented.
4. A taxonomy of alternatives to avoid fragmentation.
4.1. Ignore the problem.
It is possible to ignore the fragmentation issue. Whether that is
an acceptable choice or not has to be very carefully considered. Is
it reasonable to allow v4 only hosts to over time lose access to
parts of the Internet namespace just because they are not
"IPv6-aware"?
4.2. DNS transport bridging.
By providing some sort of "DNS transport bridging", i.e. create a
fallback mechanism that enables a name server with only one type of
transport to reach a name server only available over the other
transport via some sort of proxy service it would be possible to
unify the DNS zones available on each transport into a common
namespace.
The general consensus is that it is not possible to design such a
bridging solution that works in both directions. However, it may be
possible to design one that allows v6 clients to query v4 servers.
See for instance [DNS-opreq] and [DNS-proxy] for more detailed
discussions.
4.3. Policy based avoidance of fragmentation.
Today there are only a limited number of DNS zones on the public
Internet that are only available over v6 transport, and they can
mostly be regarded as "experimental". However, as soon as there is
a root name server available over v6 transport it is reasonable to
expect that it will become more common with v6-only zones over
time.
Such a development would erode the Internet namespace as viewed
from an v4-only client. There are obviously strong reasons to find
a mechanism to avoid this happening.
4.3.1. Requirement of zone reachability over IPv4 transport.
To ensure that all zones remain available over IPv4 transport one
method would be to require that nameservers authoritative for a
zone as part of the zone validation process ensure that there are
IPv4 address records available for the name servers of any child
delegations within the zone).
I.e. the future policy could be:
"Every delegation point delegated to nameservers available
over v6 transport should have the same availability
requirements for servers over both v4 and v6 transport as v4
only zones have over v4 transport.
I.e. if the parent requires "multiple nameservers" for a child,
then the requirement becomes "multiple nameservers available over
v4 transport plus multiple nameservers available over v6 transport"
I.e. for given the domain EXAMPLE.COM with the following data
$ORIGIN example.com.
child.example.com. IN NS ns.example.com.
child.example.com. IN NS dns.autonomica.se.
ns.example.com. IN A 1.2.3.4
the delegation of CHILD.EXAMPLE.COM is to the two name servers
"ns.example.com" and "dns.autonomica.se". The first name server,
"ns.example.com", obviously has an IPv4 address (as shown by the
"glue" record on the last line).
However, "ns.example.com" may have additional addresses assiciated
with it. Also there is no way for the server loading the zone to
know the address(es) of "dns.autonomica.se". Therefore, to find out
all the publicly available addresses they have to be queried for.
To ensure this the authoritative server will have to lookup the
address records of the name servers that are part of any
"delegation" points in the zone. However, this operation is very
costly for large, delegation-dense zones and therefore it is likely
that compromises a la
* only validate on the master (this is likely always good practice)
* validate as an offline process (i.e. not part of the zone loading)
* only validate at time of delegation
* never validate
Clearly, as validation is relaxed the amount of errors will
increase, so the sum of pain as usual remains mostly constant.
4.3.2. Zone validation for non-recursive servers.
Non-recursive authoritative servers are name servers that run
without ever asking questions. A change in the zone validation
requirements that force them to query for the addresses of name
servers that are part of delegations in the zone change this, since
they now have to query for these addresses.
However, the main reason that it is important to be able to run
without asking questions is to avoid "caching" possibly bogus
answers. This need can be managed by requiring that a non recursive
name server throw away the looked up address information after
having used it for validation of the delegations in the zone.
4.3.3. Future requirement of zone reachability over IPv6 transport.
The immediate need for clarified policies for delegation is to
ensure that IPv4 namespace does not start to fragment. Over time,
however, it is reasonable to expect that it may become important to
add a similar requirement to IPv6 namespace.
I.e. an even more refined policy possible at some point in the
future would be:
"Every delegation point should have at least one name server
for the child zone reachable over IPv4 transport (i.e. should
have an A record) and at least one name server reachable over
IPv6 transport (i.e. should have e.g. an AAAA record)".
4.3.4. Implementation issues for new zone validation requirements.
Exactly what action should be taken when a zone does not validate
is not immediately clear. Immediate alternatives include:
a) fail the entire parent zone (the extreme case, not suggested)
b) load the zone but remove the delegation that failed validation
(also drastic, and not suggested)
c) load the entire zone but issue a warning message about the
delegation that failed validation (more reasonable)
Implementations should make it configurable what action to take. In
the case of registries that have a business realtion to the child
zone it is also in principle possible to work on the deployment of
child zones over v6 transport by cost diffentiation for the
customer.
5. Overview of suggested transition method.
By following the steps outlined below it will be possible to
transition without outages or lack of service. The assumption is
that the site has only v4 name servers or possibly v4 name servers
plus v6 name server in a forwarding configuration. All DNS data is
on the v4 name servers.
1) Do not change the method of resolution on any (recursive) name
server. I.e. v4 servers go to the root and follow referrals
while v6 servers go to their translator/forwarder which lookup
the name and return the end result.
2) Start serving authoritative DNS data on v6 transport by
providing name servers with v6 transport serving the zones. Add
v6 address information to to the zones and as glue at the parent
zone. Note that it is of crucial importance that the zone should
have the same contents regardless of whether it is the v4
version or the v6 version. Anything else will lead to confusion.
4) Wait for the announcement of the DNS root zone being available
from a v6 name server.
5) Ensure that the entire path from the root down to the domain in
question is reachable over both IPv4 and IPv6 transport.
When this is accomplished it it possible to begin a migration of
the lookup of selected services to be available over IPv6
(i.e. typically by adding a IPv6 address record, eg. AAAA record,
for a server of some sort).
6. Security Considerations
Much of the security of the Internet relies, often wrongly, but
still, on the DNS. Thus, changes to the characteristics of the DNS
may impact the security of Internet based services.
Although it will be avoided, there may be unintended consequences
as a result of operational deployment of RR types and protocols
already approved by the IETF. When or if such consequences are
identified, appropriate feedback will be provided to the IETF and
the operational community on the efficacy of said interactions.
7. Summary.
The namespace fragmentation problem is identified and examined at
some length.
A solution based upon a change in the validation method of
delegation points is suggested. This will both help keep the v4
namespace unfragmented and may also help speed up deployment of
DNS hierarchy in v6 space.
9. References
[RFC1034] Domain names - concepts and facilities.
P.V. Mockapetris.
[RFC1035] Domain names - implementation and specification.
P.V. Mockapetris.
[RFC2826] IAB Technical Comment on th Unique DNS Root
[DNS-proxy] draft-durand-dns-proxy-00.txt
Alain Durand
[DNS-opreq] draft-ietf-ngtrans-dns-ops-req-02.txt
Alain Durand
A. Authors' Address
Johan Ihren
Autonomica
Bellmansgatan 30
SE-118 47 Stockholm, Sweden
johani@autonomica.se
View Git Blame Copy Permalink