6to4 in Internet aaaa records
Folks, What is the general impression of 6to4 addresses in records? I recently had a customer complain about this situation, and i am not sure, as a service provider, how to deal with it. From my home comcast connection with real full dual-stack, i get this cbyrne@ ~ $ wget -6 www.azdes.gov --2014-10-02 19:19:48-- http://www.azdes.gov/ Resolving www.azdes.gov (www.azdes.gov)... 2002::cf6c:8846 Connecting to www.azdes.gov (www.azdes.gov)|2002::cf6c:8846|:80... failed: Connection timed out. Retrying. and from another cloud server with real dual-stack, i get the same thing [cbyrne@ ~]$ wget -6 http://www.azdes.gov/ --2014-10-02 19:23:00-- http://www.azdes.gov/ Resolving www.azdes.gov (www.azdes.gov)... 2002::cf6c:8846 Connecting to www.azdes.gov (www.azdes.gov)|2002::cf6c:8846|:80... failed: Host is down. Retrying.
Re: 6to4 in Internet aaaa records
On 2014-10-02 22:24, Ca By wrote: Folks, What is the general impression of 6to4 addresses in records? I recently had a customer complain about this situation, and i am not sure, as a service provider, how to deal with it. From my home comcast connection with real full dual-stack, i get this cbyrne@ ~ $ wget -6 www.azdes.gov http://www.azdes.gov --2014-10-02 19:19:48-- http://www.azdes.gov/ Resolving www.azdes.gov http://www.azdes.gov (www.azdes.gov http://www.azdes.gov)... 2002::cf6c:8846 That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0. One would think with all the IPv6 consultants in the US, that .gov agencies would be able to get that part right... Though, better point them out that 6to4 is a bad idea in general anyway. I would not be surprised if the DNS solution generated that broken address though as cf6c:8846 does map to 207.108.136.70 which matches the A record. Greets, Jeroen
Re: 6to4 in Internet aaaa records
On Thu, Oct 2, 2014 at 7:47 PM, Jeroen Massar jer...@massar.ch wrote: On 2014-10-02 22:37, Ca By wrote: [..] Yes, i think .gov requires records. So it looks like DNS admins are generating records that ultimately break connectivity. Back to my question, should there be an RFC generated that advises network admins to only put native natural addresses in DNS for anything that is supposed to be production grade and routed across the Internet? Meaning: 1. Only make records from 2000::/3 2002::/16 (6to4) is part of that. 2. Do not make records with 6to4 addresses See http://tools.ietf.org/html/rfc6343 and of course also: http://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic-05 (though that technically expired). From my reading of RFC6343 it is not clearly stated that one should not produce records with 6to4 addresses. The wording is unclear IMHO. Except for quick tests, doing anything with 6to4 is futile. Fully agree on that, 6to4 is the worst and the fact that it was not made historic is a shame. Clearly though in this case the address never worked. Can't fix problems between chair and keyboard with documents. Fair 3. Do no make records with NAT64 WKP 64:ff9b::/96 ( saw this last week ) One can stuff whatever one wants in DNS, if it breaks though that is the problem of the operator. Greets, Jeroen There in lies the problem. I have received escalations in the last few days on my eyeball network regarding internet servers with 6to4 in DNS and NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and tried to pursued me to his understanding of those RFCs that i should route and support WKP to my NAT64 and that he was doing the right thing by putting the WKP as RR in his DNS files.
Re: 6to4 in Internet aaaa records
There in lies the problem. I have received escalations in the last few days on my eyeball network regarding internet servers with 6to4 in DNS and NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and tried to pursued me to his understanding of those RFCs that i should route and support WKP to my NAT64 and that he was doing the right thing by putting the WKP as RR in his DNS files. That is hilariously evil...awesome. The *64 docs should have made some mention about not using the WKP globally.
Re: 6to4 in Internet aaaa records
On 03/10/2014 15:58, Ca By wrote:
On Thu, Oct 2, 2014 at 7:47 PM, Jeroen Massar jer...@massar.ch wrote:
On 2014-10-02 22:37, Ca By wrote:
[..]
Yes, i think .gov requires records. So it looks like DNS admins
are generating records that ultimately break connectivity.
Back to my question, should there be an RFC generated that advises
network admins to only put native natural addresses in DNS for anything
that is supposed to be production grade and routed across the Internet?
Meaning:
1. Only make records from 2000::/3
2002::/16 (6to4) is part of that.
2. Do not make records with 6to4 addresses
See http://tools.ietf.org/html/rfc6343
To save looking-up effort, here's what it says:
4.2.4. DNS Issues
A customer who is intentionally using 6to4 may also need to create
records, and the operator should be able to support this, even
if the DNS service itself runs exclusively over IPv4. However,
customers should be advised to consider carefully whether their 6to4
service is sufficiently reliable for this.
Operators could, in principle, offer reverse DNS support for 6to4
users [RFC5158], although this is not straightforward for domestic
customers.
The point is that if you are crazy enough to rely on 6to4 to offer
IPv6 service, as it seems the people at www.azdes.gov are, you must
of course have a stable 6to4 server and provide a DNS entry,
and a reverse entry (RFC 5158) too. But as the rest of RFC 6343
should tell you, you really would have to be crazy.
I have to say that this deployment seems to be broken in a way
that we didn't even imagine when writing RFC 6343, yet it does
have stable, reliable DNS service ;-).
and of course also:
http://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic-05
(though that technically expired).
3 years ago that seemed premature. With recent progress in real IPv6,
I'm wondering whether it isn't time to revive it. If so it should be
changed to be a BCP that says Don't do this and also makes
the proposed standard drafts Historic.
But we do hear persistently that there are happy hobbyist and peer to peer
users of 6to4. Using it offer web service for the Arizona Department of
Economic Security is so wrong, though.
From my reading of RFC6343 it is not clearly stated that one should not
produce records with 6to4 addresses. The wording is unclear IMHO.
No, it is intended to say that if you insist on using 6to4, you *need*
stable DNS service and possibly reverse DNS.
Brian
Except for quick tests, doing anything with 6to4 is futile.
Fully agree on that, 6to4 is the worst and the fact that it was not made
historic is a shame.
Clearly though in this case the address never worked. Can't fix problems
between chair and keyboard with documents.
Fair
3. Do no make records with NAT64 WKP 64:ff9b::/96 ( saw this last
week )
One can stuff whatever one wants in DNS, if it breaks though that is the
problem of the operator.
Greets,
Jeroen
There in lies the problem. I have received escalations in the last few
days on my eyeball network regarding internet servers with 6to4 in DNS and
NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
tried to pursued me to his understanding of those RFCs that i should route
and support WKP to my NAT64 and that he was doing the right thing by
putting the WKP as RR in his DNS files.
