Internet DRAFT - draft-jiang-dnsext-a6-to-historic

draft-jiang-dnsext-a6-to-historic



Network Working Group                                         S. Jiang 
Internet Draft                            Huawei Technologies Co., Ltd 
Intended status: Informational                               D. Conrad 
Updates: 2874, 3363                                   Cloudflare, Inc. 
Expires: March 23, 2012                                   B. Carpenter 
                                                     Univ. of Auckland 
                                                    September 20, 2011 
                                    
                      Moving A6 to Historic Status 
                draft-jiang-dnsext-a6-to-historic-00.txt 


Status of this Memo 

   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79. 

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF). Note that other groups may also distribute working 
   documents as Internet-Drafts. The list of current Internet-Drafts is 
   at http://datatracker.ietf.org/drafts/current/. 

   Internet-Drafts are draft documents valid for a maximum of six months 
   and may be updated, replaced, or obsoleted by other documents at any 
   time. It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress." 

   This Internet-Draft will expire on March 23, 2012. 

Copyright Notice 

   Copyright (c) 2011 IETF Trust and the persons identified as the 
   document authors.  All rights reserved. 

   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   (http://trustee.ietf.org/license-info) in effect on the date of 
   publication of this document. Please review these documents 
   carefully, as they describe your rights and restrictions with respect 
   to this document. Code Components extracted from this document must 
   include Simplified BSD License text as described in Section 4.e of 
   the Trust Legal Provisions and are provided without warranty as 
   described in the Simplified BSD License. 






 
 
 
Jiang                  Expires March 23, 2012                 [Page 1] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

 

    

Abstract 

   This document provides a summary of issues and discusses the current 
   usage status of A6 DNS records and moves the A6 specifications to 
   Historic status, providing clarity to implementers and operators. 

Table of Contents 

   1. Introduction & Background .................................... 3 
   2. A6 Issues .................................................... 3 
      2.1. Resolution Latency ...................................... 4 
      2.2. Resolution failure ...................................... 4 
      2.3. Cross administration domains ............................ 4 
      2.4. Difficult Maintenance ................................... 5 
      2.5. Existence of Multiple RR Types for one Purpose is Harmful 5 
      2.6. Higher Security Risks ................................... 5 
   3. Status of A6 current usage ................................... 5 
      3.1. Reasons for Current A6 Usage ............................ 6 
   4. Moving A6 to Historic Status ................................. 6 
      4.1. Impact on Current A6 Usage .............................. 6 
      4.2. Transition phase for current A6 ......................... 6 
   5. Security Considerations ...................................... 7 
   6. IANA Considerations .......................................... 7 
   7. Acknowledgments .............................................. 7 
   8. References ................................................... 7 
      8.1. Normative References .................................... 7 
      8.2. Informative References .................................. 7 
   Author's Addresses .............................................. 8 
    













 
 
Jiang                  Expires March 23, 2012                 [Page 2] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

    

1. Introduction & Background 

   The IETF began the process of standardizing two different DNS 
   protocol enhancements for IPv6 addresses in DNS (Domain Name System) 
   records: AAAA [RFC3596] in 1995 [RFC1886] and A6 [RFC2874] in 2000. 
   Both protocol enhancements reached Proposed Standard status. 

   The existence of multiple ways of representing IPv6 address in the 
   DNS has led to confusion and conflicts about which of these protocol 
   enhancements should be implemented and/or deployed. Having more than 
   one choice of how IPv6 addresses are to be represented within the DNS 
   can be argued to have led to delays in the deployment of IPv6. In 
   2002, "Representing IPv6 Addresses in the DNS" [RFC3363] moved A6 to 
   Experimental status, with an aim to clear up any confusion in this 
   area. [RFC3363] and [RFC3364] compared AAAA and A6, and examined many 
   of the issues in the A6 standard, these issues being summarized in 
   this document. 

   However, after ten years, the Experimental status of A6 has resulted 
   in continued confusion and parallel deployment of both A6 and AAAA, 
   albeit AAAA predominates by a large degree. Even in recent IPv6 
   transition tests and deployments, some providers informally mentioned 
   A6 support as a possible future choice. 

   This document provides a brief summary of the issues related to the 
   use of A6 recprds and discusses the current usage status of A6. Given 
   the implications of A6 on the DNS architecture and the state of A6 
   deployment, this document moves the A6 specifications to Historic 
   status, thereby clarifying that implementers and operators should 
   represent IPv6 addresses in the DNS only by using AAAA records. 

   1.1 Standards Action Taken 

   This document requests the IESG to change the status of RFC 2874 from 
   Experimental to Historic. 

2. A6 Issues 

   This section summarizes the known issues associated with the use of 
   A6 resource records, including the analyses explored in [RFC3363]. 
   The reader is encouraged to review that document to fully understand 
   the issues relating to A6. 



 
 
Jiang                  Expires March 23, 2012                 [Page 3] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

2.1. Resolution Latency 

   Resolving an A6 Record chain can involve resolving a series of sub-
   queries that are likely to be independent of each other. Each of 
   these sub-queries takes a non-negligible amount of time unless the 
   answer already happens to be in the resolver's cache. The worst-case 
   time resolving a N-link chain A6 record would be the sum of the 
   latency resulting from each of the N resolutions. As a result, long 
   A6 chains would be likely to increase user frustration due to 
   excessive waiting times for domain names to resolve. 

   In practice, it is very hard to derive a reasonable timeout handling 
   strategy for the reassembly of all the results from A6 sub-queries. 
   It is proved difficult to decide multiple timeout parameters, 
   including (1) the communication timeout for a single A6 fragment, (2) 
   the communication timeout for the IPv6 address itself (total time 
   needed for reassembly) and (3) the TTL timeout for A6 fragment 
   records. 

2.2. Resolution Failure 

   The probability of A6 resolution failure during the process of 
   resolving an N-link A6 chain is sum of the probabilities of failure 
   of each sub-query, since each of the queries involved in resolving an 
   A6 chain has a non-zero probability of failure and an A6 resolution 
   cannot complete until all sub-queries have succeeded. 

   Furthermore, the failure may happen at any link among 1~N of a N-Link 
   A6 chain. Therefore, it would take an indeterminate time to return a 
   failure result. 

2.3. Cross Administrative Domains 

   One of the primary motivations for the A6 RR was to facilitate 
   renumbering and multihoming, where the prefix name field in the A6 RR 
   points to a target that is not only outside the DNS zone containing 
   the A6 RR, but is administered by a different organization entirely. 

   While pointers out of zone are not a problem per se, experience both 
   with glue RRs and with PTR RRs in the IN-ADDR.ARPA tree suggests that 
   pointers to other organizations are often not maintained properly, 
   perhaps because they're less amenable to automation than pointers 
   within a single organization would be. 




 
 
Jiang                  Expires March 23, 2012                 [Page 4] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

2.4. Difficult Maintenance 

   In A6, changes to components of an RR are not isolated from the use 
   of the composite IPv6 address. Any change to a non-128-bit component 
   of an A6 RR may cause change to a large number of IPv6 addresses. The 
   dependence relationship actually makes the maintenance of addresses 
   much more complicated and difficult. Without understanding these 
   complicated relationships, any arbitrary change for a non-128-bit A6 
   RR component may result in undesired consequences. 

   Multiple correlative sub-components of A6 records may have different 
   TTLs, which can make cache maintenance very complicated. 

2.5. Existence of Multiple RR Types for one Purpose is Harmful 

   If both AAAA and A6 records were widely deployed in the global DNS, 
   it would impose more query delays to the client resolvers. DNS 
   clients have insufficient knowledge to choose between AAAA and A6 
   queries, requiring local policy to determine which record type to 
   query. If local policy dictates parallel queries for both AAAA and A6 
   and if those queries returned different results for any reason, the 
   clients would have no knowledge about which address to choose. 

2.6. Higher Security Risks 

   The dependency relationships inherent in A6 chains increase security 
   risks. An attacker may successfully attack a single sub-component of 
   an A6 record, which would then influence many query results, and 
   possibly every host on a large site. There is also the danger of 
   unintentionally or maliciously creating a resolution loop - an A6 
   chain may create an infinite loop because an out of zone pointer may 
   point back to another component farther down the A6 chain. 

3. Current Usage of A6  

   Full support for IPv6 in the global DNS can be argued to have started 
   when the first IPv6 records were associated with root servers in 
   early 2008. 

   One of the major DNS server software packages, BIND9 [BIND], supports 
   both A6 and AAAA and is unique among the major DNS resolvers in that 
   certain versions of the BIND9 resolver will attempt to query for A6 
   records and follow A6 chains. 

   According to published statistics for two root DNS servers (the "K" 
   root server [KROOT] and the "L" root server [LROOT]), there are 
   between 9,000 and 14,000 DNS queries per second on the "K" root 
 
 
Jiang                  Expires March 23, 2012                 [Page 5] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

   server and 13,000 to 19,000 queries per second on the "L" root  
   server. The distributions of those queries by RR type are similar: 
   roughly 60% A queries, 20~25% AAAA queries, and less than 1% A6 
   queries. 

3.1. Reasons for Current A6 Usage 

   That there is A6 query traffic does not mean that A6 is actually in 
   use; it is likely the result of some recursive servers that issue 
   internally-generated A6 queries when looking up missing name server 
   addresses in addition to issuing A and AAAA queries. 

   BIND versions 9.0 through 9.2 could be configured to make A6 queries 
   and it is possible that some active name servers running those 
   versions have not yet been upgraded. 

   In the late 1990s, A6 was considered to be the future in preference 
   to AAAA [RFC2874]. As a result, A6 queries were tried by default in 
   BINDv9 versions. When it was pointed out that A6 had some fundamental 
   issues (discussed in [I-D.ietf-dnsext-aaaa-a6] with the deprecation 
   codified in RFC 3363), A6 was abandoned in favor of AAAA and BINDv9 
   no longer tried A6 records by default. A6 was removed from the query 
   order in the BIND distribution in 2004 or 2005. 

   Some Linux/glibc versions may have had A6 query implementations in 
   gethostbyname() 8-10 years ago. These operating systems/libraries may 
   not have been replaced or upgraded everywhere yet. 

4. Moving A6 to Historic Status 

   This document moves the A6 specification to Historic status. This 
   move provides a clear signal to implementers and/or operators that A6 
   should NOT be implemented or deployed. 

4.1. Impact on Current A6 Usage 

   If A6 were in use and it were to be treated as an 'unknown record' 
   (RFC3597) as discussed below, it might lead to some interoperability 
   issues since resolvers that support A6 are required to do additional 
   section processing for these records on the wire. However, as there 
   are no known production uses of A6, this impact is considered 
   negligible. 

4.2. Transition phase for current A6 

   Since there is no known A6-only client in production use, the 
   transition phase may not be strictly necessary. However, clients that 
 
 
Jiang                  Expires March 23, 2012                 [Page 6] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

   attempt to resolve A6 before AAAA will suffer a performance penalty. 
   Therefore, we recommend: 

   * Removing A6 handling from all new or updated host stacks; 

   * Recommend removing all existing A6 records; and 

   * All resolver and server implementations return the same response as 
   for any unknown or deprecated RR type for all A6 queries. If an AAAA 
   record exists for the name being resolved, a suitable response would 
   be 'no answers/no error', i.e. the response packet has an answer 
   count of 0 but no error is indicated. 

5. Security Considerations 

   Eliminating A6 records will eliminate any security exposure related 
   to that RR type, and should introduce no new vulnerabilities. 

6. IANA Considerations 

   IANA is requested to change the annotation of the A6 RR type from 
   "Experimental" to "Obsolete" in the DNS Parameters registry. 

7. Acknowledgments 

   The authors would like to thank Ralph Droms, Roy Arends, Edward  
   Lewis, Andreas Gustafsson, Mark Andrews, Jun-ichiro "itojun" Hagino 
   and other members of DNS WGs for valuable contributions. 

8. References 

8.1. Normative References 

   [RFC2874] M. Crawford, C. Huitema, "DNS Extensions to Support IPv6 
             Address Aggregation and Renumbering", RFC 2874, July 2000. 

   [RFC3596] S. Thomson, C. Huitema, V. Ksinant, M. Souissi, "DNS 
             Extensions to Support IP Version 6", RFC 3596, October  
             2003. 

8.2. Informative References 

   [RFC1886] S. Thomson and C. Huitema, "DNS Extensions to Support IP 
             Version 6", RFC 1886, December 1995. 



 
 
Jiang                  Expires March 23, 2012                 [Page 7] 

Internet-Draft    draft-jiang-dnsext-a6-to-historic      September 2011 
    

   [RFC3363] R. Bush, A. Durand, B. Fink, O. Gudmundsson, T. Hain, 
             "Representing Internet Protocol version 6 (IPv6) Addresses 
             in the Domain Name System (DNS)", RFC 3363, August 2002. 

   [RFC3364] R. Austein, "Tradeoffs in Domain Name System (DNS) Support 
             for Internet Protocol version 6 (IPv6)", RFC 3364, August 
             2002. 

   [I-D.ietf-dnsext-aaaa-a6] 
             J. Hagino, "Comparison of AAAA and A6 (do we really need 
             A6?)", working in progress, 2001. 

   [BIND]   http://www.isc.org/software/bind 

   [KROOT]  http://k.root-servers.org/ 

   [LROOT]  http://dns.icann.org/lroot/ 

Author's Addresses 

   Sheng Jiang 
   Huawei Technologies Co., Ltd 
   Huawei Building, No.3 Xinxi Rd., Hai-Dian District, Beijing 
   P.R. China 
   Phone: 86-10-82882681 
   Email: jiangsheng@huawei.com 
    
   David Conrad 
   Cloudflare, Inc. 
   665 3rd Street, Suite 207 
   San Francisco CA 94107 
   USA 
   Email: drc@cloudflare.com 
    
   Brian Carpenter 
   Department of Computer Science 
   University of Auckland 
   PB 92019 
   Auckland, 1142 
   New Zealand 
   Email: brian.e.carpenter@gmail.com 






 
 
Jiang                  Expires March 23, 2012                 [Page 8]