Next up: IPv6?
August 30 2010 by 
Cricket Liu (Infoblox)
The hard work of deploying DNSSEC is well underway: Registries are signing top-level zones,
the Internet Systems Consortium and various vendors, including Infoblox, are
simplifying the task of signing and managing a secure zone. Even though widespread adoption of
DNSSEC is some way off, it’s natural to wonder what’s next. My bet is on IPv6. Of course, IPv6 is tomorrow’s internet protocol—and has been
for years—but I’ve heard more and more inquiries about IPv6 over the past few
months. Reporters are writing
articles about the rate of IPv6 adoption, coaching readers on how to prepare
for the migration to IPv6; while customers are asking questions about
IPv6-related features on our roadmap.
And Geoff Huston’s estimate of the date ARIN will exhaust its allocation
of IPv4 addresses now stands at June 4, 2011. That’s not far off. Luckily, the deployment of IPv6 won’t require quite the
overhaul of DNS that DNSSEC did.
Here are some of the changes we’ll see: - There’s a new resource record type, AAAA (usually called a
“quad-A record”). This is a simple
IPv6 analog of the IPv4 A record.
The only real difference (besides the new type mnemonic) is that the
RDATA contains a set of as many as eight quartets of hexidecimal digits, like
so: ipv6host.foo.example. AAAA 1234:5678:90ab:cdef:1234:5678:90ab:cdef
- Reverse mapping gets very messy, because all of a sudden
PTR records are attached to domain names like f.e.d.c.b.a.0.9.8.7.6.5.4.3.2.1.f.e.f.c.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. (That’s 34 labels, in case you don’t feel like counting.) Note also that the IPv6 reverse-mapping
domain is ip6.arpa, not in-addr.arpa. - More organizations will begin running name servers with
IPv6 stacks. On the authoritative
side, some of the root name servers currently respond to queries over IPv6, as
do some of VeriSign’s gTLD name servers (those authoritative for .com and
.net). Fewer recursive name
servers support IPv6. That’ll
likely change as organizations bring up IPv6-only clients that use technologies
like NAT64 to communicate with IPv4 endpoints. - And, of course, DNS will assume a new criticality, because
IPv6 addresses are nearly impossible for mere humans to remember and difficult
to even enter correctly. As with DNSSEC, the introduction of IPv6 will heighten the
need for good administrative tools and increased automation. Entering IPv6 addresses by hand is
simply too time-consuming and error-prone—not to mention stultifying
boring. IP address management
systems can alleviate some of this burden through network discovery, auto-completion
and more.
Posted in IP Address Management | IPv6 | 
8 comments
Aug 31, 2010 at 11:07 AM
It's time to spread the mantra for adoption of IPv6 - thanks for the article Cricket! For those looking for resources there is the California IPv6 Task Force:
http://www.cav6tf.org/
Gogonet and their gogonet live event in Silicon Valley later this year:
http://gogonetlive.com/
Google also has the annual IPv6 Implementors event:
https://sites.google.com/site/ipv6implementors/
Looking forward to the tools Infoblox comes out with for IPv6!
- Ed Horley - Co-chair CAv6TF
Aug 31, 2010 at 8:36 PM
Good article Cricket. One thing to note is that Comcast has been working on our IPv6 deployment for several years now and like our work on DNSSEC, we are very focused on the deployment of IPv6 trials on our production network so we can deploy these technologies correctly for our customers and share our learnings. You can find updates on our progress at http://www.comcast6.net and our DNS resolvers that do DNSSEC validation also are dual stack for IPv6 and can be accessed from our various trials like 6RD, 6to4, and soon our native dual stack trial.
Aug 31, 2010 at 9:36 PM
Thanks for your comments, Ed and Chris. I actually signed up for Comcast's IPv6 trial--I've got a lot to learn about IPv6, too!
Sep 1, 2010 at 6:39 AM
We all should keep an eye out on the convergence of IPv6 and DNS via the AAAA RRs you mention. People should be aware of and IMHO be skeptical of or resist doing DNS whitelisting. See http://www.comcast6.net/IPv6_DNS_Whitelisting_Concerns_20100416.pdf for more on the issue.
Sep 10, 2010 at 6:34 PM
From the point of view of a DNS implementor, IPv6 is a cake walk compared to DNSSEC. For an authoritative sever, it’s a no-brainer: just add the code to bind to an IPv6 address and you’re done.
It’s almost as easy for a recursive DNS server; it gets a little messy with glueless NS referrals (I took the easy way out: I just ask for an IPv4 A record when getting a glueless NS refer, with untested hooks in the code in place to change the query type to ANY or AAAA), but besides that, it’s pretty straightforward.
Indeed, my little DNS server project doesn’t have DNSSEC support (I have nothing against DNSSEC; the only issue is that I don’t have free time to implement it for fun and for free), but it does have full (albeit untested) IPv6 support.
Mar 24, 2011 at 8:02 PM
Great article! My gut is telling me that the migration from IPv4 to IPv6 will be a "procrastinating" slow on. Enterprise will not change unless they are forced to do so. It is great that people like you are sensitizing folks about this topic.
Mar 24, 2011 at 9:13 PM
Thanks, Donnovan! I appreciate that!
Nov 29, 2011 at 6:02 PM
Houses are not very cheap and not everyone is able to buy it. Nevertheless, home loans are invented to support people in such hard situations.