Tip of the Trade: IPv6 and Wise DNS Configuration

Tuesday Jan 22nd 2008 by Carla Schroder

In two weeks, DNS servers will support IPv6 hosts connecting directly across the Internet without an IPv4 infrastructure buffer. What does this mean for you, and what steps can you take to ensure reliable DNS performance?

At long last, four of the root DNS servers will support IPv6. As of February 4, 2008, they will support AAAA records, which means two IPv6 hosts can connect across the Internet without having to rely on any IPv4 infrastructure, such as IPv6-over-IPv4 tunnels and tunnel brokers. Five of the root servers — B, F, H, K and M — have actually had IPv6 support for some time now. However, these were not published to the official root hints file and are not yet included in the root zone file. This will change on February 4.

Various "gotchas" delayed this from happening earlier, and DNS admins still must resolve them. One concern was the size of DNS messages. Less than IPv4, they fit nicely into 512-byte UDP datagrams. If a DNS message exceeds that size, it's probably a misconfiguration. RFC 1035 specifies a maximum UDP-encapsulated DNS message size of 512 bytes, so although UDP datagrams can be much larger, the DNS protocol is not allowed to use larger sizes. A certain kind of IPv6 DNS message can grow as large as 811 bytes — the priming exchange message. This occurs when the resolving DNS server fetches a list of the root DNS servers instead of a local hints file. As IPv6 addresses are much larger than v4, only two v6 addresses can be added to the priming exchange without going over 512 bytes — with just the 13 IPv4 server addresses it's 400 bytes. When you include 13 additional IPv6 addresses, it totals 811 bytes.

Most DNS servers are capable of handling these larger messages by transporting them over TCP instead of UDP, although some admins are clinging to some seriously old servers. The worst that can happen is they will not be able to resolve IPv6 addresses, but it is the 21st century, after all, so it really is time to upgrade.

You can improve your own odds of reliable DNS performance with a few simple actions. Make sure you have both A and AAAA records for your own domains, and make sure your own routers, network interfaces and firewalls support IPv6 and are configured correctly.

Read Accommodating IP Version 6 Address Resource Records for the Root of the Domain Name System for more information. For help with testing your own setup, see Testing Firewalls for IPv6 and EDNS0 Support

Mobile Site | Full Site