AAAA lookup misbehaviour
At the last RIPE meeting I was given an action item: Write up a draft RIPE document summarizing the observations made regarding AAAA resolution problems. Circulate to the list, initiate discussion what to, i.e. whom to approach with the list of errors/problems seen. I checked with Peter, and he says the documents are pretty freeform, so I've written a few paragraphs, included below. David This document is a short description of problems with certain DNS systems that have come to light with the deployment of IPv6 enabled software. --- One of the services that DNS provides is a facility for mapping host names to IPv4 addresses. This is probably the most common used service that DNS provides, and is achieved requesting a record of type "A" for the host name. Records of type A can only store an IPv4 address, and so with the introduction of IPv6, a new record type, AAAA has been introduced. It is becoming increasingly common for software to first issue a request of type AAAA, and if no record of that type is found then to issue a request for a record of type A. A request for a record of type AAAA causes no problems for most DNS servers, however some DNS servers have been found that have problems answering queries not of type A. The technical details of these problems are explained in the IETF draft document draft-ietf-dnsop-misbehavior-against-aaaa-01.txt. In 2004, about 0.5--1% of name servers seem to have to have a problem of this nature. The end result of these issues is that connecting to a site using a problematic name server may be impossible, intermittent or significantly delayed. To prevent introducing more DNS servers with such issues, testing of new DNS equipment should include checking that the response for records is in accordance with the RFCs. As DNS load balancing software has often fallen foul of these problems, particular care should be taken in testing and validating such systems. The fact that problematic nameservers exist is in itself a problem. Where these issues cause direct inconvenience, the maintainers of the server and the maintainers of the DNS data should be notified to allow a normal service to be restored. However, often it is difficult for end users to identify the source of these problems, (for example, where an image embedded in a web page being served from a host with a problem hostname). It is also possible to automatically produce lists of names and nameservers that exhibit these problems. Clearly it is possible to automatically mail hostmaters or to publish "hall of shame" lists based on such data. It is unclear if such actions would achieve any useful effect, as service maintainers are usually primarily concerned about complaints directly from paying users!
Hi David, Only problems with DNS servers will be covered? I mean, won't you include something related with resolvers. I can send some info regarding a bug in the resolver library of Windows XP+SP1 and Windows 2003, which causes a failure when a domain name has A and AAAA records. Best regards, Alvaro Vives Consulintel ----- Original Message ----- From: "David Malone" <dwmalone@maths.tcd.ie> To: <dns-wg@ripe.net> Cc: "Peter Koch" <pk@TechFak.Uni-Bielefeld.DE>; <niallm@enigma.ie> Sent: Thursday, July 01, 2004 4:54 PM Subject: [dns-wg] AAAA lookup misbehaviour
At the last RIPE meeting I was given an action item:
Write up a draft RIPE document summarizing the observations made regarding AAAA resolution problems. Circulate to the list, initiate discussion what to, i.e. whom to approach with the list of errors/problems seen.
I checked with Peter, and he says the documents are pretty freeform, so I've written a few paragraphs, included below.
David
This document is a short description of problems with certain DNS systems that have come to light with the deployment of IPv6 enabled software.
---
One of the services that DNS provides is a facility for mapping host names to IPv4 addresses. This is probably the most common used service that DNS provides, and is achieved requesting a record of type "A" for the host name. Records of type A can only store an IPv4 address, and so with the introduction of IPv6, a new record type, AAAA has been introduced. It is becoming increasingly common for software to first issue a request of type AAAA, and if no record of that type is found then to issue a request for a record of type A.
A request for a record of type AAAA causes no problems for most DNS servers, however some DNS servers have been found that have problems answering queries not of type A. The technical details of these problems are explained in the IETF draft document draft-ietf-dnsop-misbehavior-against-aaaa-01.txt. In 2004, about 0.5--1% of name servers seem to have to have a problem of this nature. The end result of these issues is that connecting to a site using a problematic name server may be impossible, intermittent or significantly delayed.
To prevent introducing more DNS servers with such issues, testing of new DNS equipment should include checking that the response for records is in accordance with the RFCs. As DNS load balancing software has often fallen foul of these problems, particular care should be taken in testing and validating such systems.
The fact that problematic nameservers exist is in itself a problem. Where these issues cause direct inconvenience, the maintainers of the server and the maintainers of the DNS data should be notified to allow a normal service to be restored. However, often it is difficult for end users to identify the source of these problems, (for example, where an image embedded in a web page being served from a host with a problem hostname).
It is also possible to automatically produce lists of names and nameservers that exhibit these problems. Clearly it is possible to automatically mail hostmaters or to publish "hall of shame" lists based on such data. It is unclear if such actions would achieve any useful effect, as service maintainers are usually primarily concerned about complaints directly from paying users!
********************************** Madrid 2003 Global IPv6 Summit Presentations and videos on line at: http://www.ipv6-es.com This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
On Fri, Jul 02, 2004 at 01:42:55PM +0200, Alvaro Vives wrote:
Hi David,
Only problems with DNS servers will be covered? I mean, won't you include something related with resolvers.
I can send some info regarding a bug in the resolver library of Windows XP+SP1 and Windows 2003, which causes a failure when a domain name has A and AAAA records.
There's also the really-annoying "getnaneinfo() can't handle IPv4-mapped-IPv6 addresses" problem that creeped into some BSD code (most notably OS X resolver library) and lately glibc through some ancient ISC code people blindly-copied I think. This seems to be the most common problem on *nix platforms anyway, luckily enough it's easily work-aroundable, for an example work-around see: http://cvs.apache.org/viewcvs.cgi/apr/network_io/unix/sockaddr.c?view=markup Workaround description: Test the address against IN6_IS_ADDR_V4MAPPED, and setup a (IPv4) sockaddr_in structure based on the last 32-bits of the mapped address, and resolve it instead. That's about the only big problem I've seen in any wide deployment with APR which has been used with Apache 2 for over 2 years now. -- Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
participants (3)
-
Alvaro Vives -
Colm MacCarthaigh -
David Malone