draft-ietf-dnsop-ipv6-dns-issues-02.txt

bind-3.2.

Internet Engineering Task Force                     Alain Durand
INTERNET-DRAFT                             SUN Microsystems,inc.
Feb, 27, 2003                                        Johan Ihren
Expires August, 28, 2003                              Autonomica


                       IPv6 DNS transition issues
               <draft-ietf-dnsop-ipv6-dns-issues-02.txt>



Status of this memo

   This memo provides information to the Internet community. It does not
   specify an Internet standard of any kind. This memo is in full
   conformance with all provisions of Section 10 of RFC2026

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html



Abstract

   This memo summarizes DNS related issues when transitioning a network
   to IPv6. Consensus and open issues are presented.



1. Representing IPv6 addresses in DNS records

   In the direct zones, according to [RFC3363], IPv6 addresses are
   represented using AAAA records [RFC1886].  In the reverse zone, IPv6
   addresses are represented using PTR records in nibble format under
   the ip6.arpa. tree [RFC3152].



2. IPv4/IPv6 name space

2.1 Terminology

   The phrase "IPv4 name server" indicates a name server available over
   IPv4 transport. It does not imply anything about what DNS data is
   served. Likewise, "IPv6 name server" indicates a name server
   available over IPv6 transport.


2.2. Introduction to the problem of name space fragmentation:
     following the referral chain

   The caching resolver that tries to lookup a name starts out at the
   root, and follows referrals until it is referred to a nameserver that
   is authoritative for the name.  If somewhere down the chain of
   referrals it is referred to a nameserver that is only accessible over
   a type of transport that is unavailable, a traditional nameserver is
   unable to finish the task.

   When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is
   only a matter of time until this starts to happen and the complete
   DNS hierarchy starts to fragment into a graph where authoritative
   nameservers for certain nodes are only accessible over a certain
   transport. What is feared is that a node using only a particular
   version of IP, querying information about another node using the same
   version of IP can not do it because, somewhere in the chain of
   servers accessed during the resolution process, one or more of them
   will only be accessible with the other version of IP.

   With all DNS data only available over IPv4 transport everything is
   simple. IPv4 resolvers can use the intended mechanism of following
   referrals from the root and down while IPv6 resolvers have to work
   through a "translator", i.e. they have to use a second name server on
   a so-called "dual stack" host as a "forwarder" since they cannot
   access the DNS data directly.

   With all DNS data only available over IPv6 transport everything would
   be equally simple, with the exception of old legacy IPv4 name servers
   having to switch to a forwarding configuration.

   However, the second situation will not arise in a foreseeable time.
   Instead, it is expected that the transition will be from IPv4 only to
   a mixture of IPv4 and IPv6, with DNS data of theoretically three
   categories depending on whether it is available only over IPv4
   transport, only over IPv6 or both.

   The latter is the best situation, and a major question is how to
   ensure that it as quickly as possible becomes the norm. However,
   while it is obvious that some DNS data will only be available over v4
   transport for a long time it is also obvious that it is important to
   avoid fragmenting the name space available to IPv4 only hosts. I.e.
   during transition it is not acceptable to break the name space that
   we presently have available for IPv4-only hosts.


2.3 Policy based avoidance of name space fragmentation.

   Today there are only a few DNS "zones" on the public Internet that
   are  available over IPv6 transport, and they can mostly be regarded
   as "experimental". However, as soon as there is a root name server
   available over IPv6 transport it is reasonable to expect that it will
   become more common to have zones served by IPv6 servers over time.

   Having those zones served only by IPv6-only name server would not be
   a good development, since this will fragment the previously
   unfragmented IPv4 name space and there are strong reasons to find a
   mechanism to avoid it.

   The RECOMMENDED approach to maintain name space continuity is to use
   administrative policies:
      - every recursive DNS server SHOULD be either IPv4-only or dual
      stack,
      - every single DNS zone SHOULD be served by at least one IPv4
      reachable DNS server.

   This rules out IPv6-only recursive DNS servers and DNS zones served
   only by IPv6-only DNS servers. This approach could be revisited
   if/when translation techniques between IPv4 and IPv6 were to be
   widely deployed.

   In order to enforce the second point, the zone validation process
   SHOULD ensure that there is at least one IPv4 address record
   available for the name servers of any child delegations within the
   zone.



3. Local Scope addresses.

   [IPv6ADDRARCH] define three scopes of addresses, link local, site
   local and global.

3.1 Link local addresses

   Local addresses SHOULD NOT be published in the DNS, neither in the
   forward tree nor in the reverse tree.


3.2 Site local addresses

      Note: There is an ongoing discussion in the IPv6 wg on the
      usefulness of site local addresses that may end up deprecating or
      limiting the use of Site Local addresses.


   Site local addresses are an evolution of private addresses [RFC1918]
   in IPv4.  The main difference is that, within a site, nodes are
   expected to have several addresses with different scopes. [ADDRSELEC]
   recommends to use the lowest possible scope possible for
   communications. That is, if both site local & global addresses are
   published in the DNS for node B, and node A is configured also with
   both site local & global addresses, the communication between node A
   and B has to use site local addresses.

   For reasons illustrated in [DontPublish], site local addresses SHOULD
   NOT be published in the public DNS.  They MAY be published in a site
   view of the DNS if two-face DNS is deployed.

   For a related discussion on how to handle those "local" zones, see
   [LOCAL].


3.3 Reverse path DNS for site local addresses.

   The main issue is that the view of a site may be different on a stub
   resolver and on a fully recursive resolver it points to.  A simple
   scenario to illustrate the issue is a home network deploying site
   local addresses. Reverse DNS resolution for site local addresses has
   to be done within the home network and the stub resolver cannot
   simply point to the ISP DNS resolver.

   Site local addresses SHOULD NOT be populated in the public reverse
   tree.  If two-face DNS is deployed, site local addresses MAY be
   populated in the local view of reverse tree.



4. Automatic population of the Reverse path DNS

   Getting the reverse tree DNS populated correctly in IPv4 is not an
   easy exercise and very often the records are not really up to date or
   simply are just not there. As IPv6 addresses are much longer than
   IPv4 addresses, the situation of the reverse tree DNS will probably
   be even worse.

   A fairly common practice from IPv4 ISP is to generate PTR records for
   home customers automatically from the IPv4 address itself. Something
   like:

      1.2.3.4.in-addr.arpa. IN PTR 4.3.2.1.local-ISP.net

   It is not clear today if something similar need to be done in IPv6,
   and, if yes, what is the best approach to this problem.

   As the number of possible PTR records would be huge (2^80) for a /48
   prefix, a possible solution would be to use wildcards entries like:

      *.0.1.2.3.4.5.6.7.8.9.a.b.c.ip6.arpa. IN PTR customer-42.local-
      ISP.net

   However, the use of wildcard is generally discouraged and this may
   not be an acceptable solution.

   An alternative approach is to dynamically synthetize PTR records,
   either on the server side or on the resolver side. This approach is
   discussed at length in [DYNREVERSE].

   Other solutions like the use of ICMP name lookups [ICMPNL] have been
   proposed but failed to reach consensus. It would work if and only the
   remote host is reachable at the time of the request and one can
   somehow trust the value that would be returned by the remote host.
   the

   A more radical approach would be not to pre-populate the reverse tree
   at all.  This approach claims that applications that misuse reverse
   DNS for any kind of access control are fundamentally broken and
   should be fixed without introducing any kludge in the DNS. There is a
   certain capital of sympathy for this, however, ISP who who pre-
   generate statically PTR records for their IPv4 customers do it for a
   reason, and it is unlikely that this reason will disappear with the
   introduction of IPv6.



5. Privacy extension addresses

   [RFC3041] defines privacy extensions for IPv6 stateless
   autoconfiguration where the interface ID is a random number. As those
   addresses are designed to provide privacy by making it more difficult
   to log and trace back to the user, it makes no sense to in the
   reverse tree DNS to have them pointing to a real name.

   [RFC3041] type addresses SHOULD NOT be published in the reverse tree
   DNS pointing to meaningful names. A generic, catch-all name MAY be