IPv6 and the DNS - RIPE 73 · But all we measure and all we talk about is web-based metrics ... •...
Transcript of IPv6 and the DNS - RIPE 73 · But all we measure and all we talk about is web-based metrics ... •...
IPv6andtheDNS
GeoffHuston
APNICOctober2016
IPv6Adoption
http://stats.labs.apnic.net/ipv6
IPv6Adoption
http://stats.labs.apnic.net/ipv6
Whatdoesitmean?
WhatarewesayingwhenwesaythatIPv6adoptionhasreached7%oftheInternet?
OnewayofinterpretingthisdataisthatifyouhostedawebserviceonV6only,some7%oftheInternet’suserpopulationcouldaccessthisservice
Wethink.
Whatwedon’tmeasure
TheInternetisawholelotmorethantheweb!
Butallwemeasureandallwetalkaboutisweb-basedmetrics
WhataboutothercomponentsoftheInternetenvironment?
OnecriticalcomponentistheDNS
SohowarewedoingwithIPv6intheDNS?
IPv6DNSquestions
• DNSisamulti-facetedenvironment,populatedbyauthoritativenameserverswhopublishinformation,andclientresolverswhoposequeries• AndthereisadistinctionbetweenwhetherthequeryisaboutresolvinganameintoanIPv6addressandwhetheritspossibletouseIPv6topassthequerytothenameserver
• That’salotofmaterialtocoverinasinglepresentation• Solet’spickonequestionanddigdeeper…
Today’sDNSIPv6questions
HowmuchoftheDNSresolutioninfrastructureisIPv6capable?
Thisisadeceptivelyhardquestion!
• TheDNSisameta-stable,non-deterministic,chaoticsystemthatstill,surprisingly,managestooperateinamannerthatappearstoberelativelyfast,relativelyefficientandmostlyaccurate!
• Butunderneaththesurfacealotisgoingon:• Thelocalresolverfunctionhasre-querytimersandalocallydefinedsetofresolvers• Resolversthemselveshavetimersandmayuseforwarders• Resolversmaybepartofaserverfarmwithactiveloadbalancing
• Alltheauthoritativenameserverseesisasetofqueriescomingfrom“visible”resolvers• Theinteractionsinternallybetweenthelocalhostanditsresolversandthechainingofqueriesislargelyopaque
AviewoftheDNSinfrastructure
resolveexperiment.dotnxdomain.netqueriesforexperiment.dotnxdomain.net
endhost
DNSinfrastructure
Server
“visible”resolvers
OurApproach
• It’shardtoinstrumentallpartsoftheInternetandmakesenseofthedatastreams• OurapproachistoseedaknowneventinendhoststhatareintendedtocauseDNSresolutionactivity,andinstrumenttheauthoritativeDNSserver• Weinferaspectsofthebehaviour oftheDNSfromthetransactionsweseeattheauthoritativenameserver
Ourapproach
• WeusetheAdplatformtoenrol endpointstoattempttoresolveaDNSname• TheDNSnameisservedfromourauthoritativeservers• Eachendpointisprovidedwithauniquenamestring(toeliminatetheeffectsofDNScaching)• EachDNSnamecontainsanamecreationtimecomponent(sothatwecandisambiguatesubsequentreplayfromoriginalqueries)• Wehavestructuredthemeasurementnamespacesothatthebehaviour isvisiblesolelyintheDNS(itdoesnotrelyonasubsequentwebfetchtoshowthattheresponsewasreceived)
NameDelegationand“Glue”
• Whenanameisdelegated,the“parent”zonenormallyincludestheIPaddressofthedelegatedzone’snameserversasadditionalinformation
bugatti. 172800 IN NS a0.nic.bugatti.bugatti. 172800 IN NS a2.nic.bugatti.bugatti. 172800 IN NS b0.nic.bugatti.bugatti. 172800 IN NS c0.nic.bugatti.
a0.nic.bugatti. 172800 IN A 65.22.208.9a0.nic.bugatti. 172800 IN AAAA 2a01:8840:ca:0:0:0:0:9a2.nic.bugatti. 172800 IN A 65.22.211.9a2.nic.bugatti. 172800 IN AAAA 2a01:8840:cd:0:0:0:0:9b0.nic.bugatti. 172800 IN A 65.22.209.9b0.nic.bugatti. 172800 IN AAAA 2a01:8840:cb:0:0:0:0:9c0.nic.bugatti. 172800 IN A 65.22.210.9c0.nic.bugatti. 172800 IN AAAA 2a01:8840:cc:0:0:0:0:9
Forexample,here’sasnippetfromtherootzoneforthedelegationofthegTGLD “.bugatti”
Name servers
“Glue”
“Glueless”Delegation
• ”Glue”recordsprovidehelpfulhintstoresolvers,buttheyarenotmandatory,noraretheyauthoritative• Ifaresolverperformingatop-downresolutionsequenceencountersadelegationwithoutgluethenitpausestheresolutionprocessoftheoriginalnameandcommencesresolutionofthenameservername.• Ifthissecondaryresolutionsucceedsthenitresumestheresolutionprocessoftheoriginalname
”Glueless”Delegation
zonedotnxdomain.net zonenxdomain.net
zoneexperiment.dotnxdomain.net
experiment IN NS srv1.ns.nxdomain.net. ns IN NS srv0.ns.nxdomain.net.srv0.ns.nxdomain.net IN A 192.0.2.2
AAAA 2001:db8::1
abc IN A 192.0.2.1IN AAAA 2001:db8::3
zonens.nxdomain.netsrv0 IN AAAA 2001:db8::1srv1 IN A 192.0.2.3
IN AAAA 2001:db8::2
Wecanusethis…
zonedotnxdomain.net zonenxdomain.net
zoneexperiment.dotnxdomain.net
experiment IN NS srv1.ns.nxdomain.net. ns IN NS srv0.ns.nxdomain.net.srv0.ns.nxdomain.net IN AAAA 2001:db8::1
abc IN A 192.0.2.1IN AAAA 2001:db8::3
zonens.nxdomain.netsrv0 IN AAAA 2001:db8::1srv1 IN A 192.0.2.3
IN AAAA 2001:db8::2
IPv6-only!
Dual Stack
Dual Stack
Wecanusethis…
zonedotnxdomain.net zonenxdomain.net
zoneexperiment.dotnxdomain.net
experiment IN NS srv1.ns.nxdomain.net. ns IN NS srv0.ns.nxdomain.net.srv0.ns.nxdomain.net IN AAAA 2001:db8::1
abc IN A 192.0.2.1IN AAAA 2001:db8::3
zonens.nxdomain.netsrv0 IN AAAA 2001:db8::1srv1 IN A 192.0.2.3
IN AAAA 2001:db8::2
IPv6-only!
1– querydotnxdomain.net forexperiment.dotnxdomain.netanswer:NSsrv1.ns.nxdomain.net
2– querynxdomain.net forsrv1.ns.nxdomain.netanswer:NSsrv0.ns.nxdomain.net(AAAAGlue)
3- queryns.nxdomain.net forsrv1.ns.nxdomain.netanswer:Aforsrv1.ns.nxdomain.net
4– queryexperiment.dotnxdomain.net forexperiment.dotnxdomain.net
Wecanusethis…
zonedotnxdomain.net zonenxdomain.net
zoneexperiment.dotnxdomain.net
experiment IN NS srv1.ns.nxdomain.net. ns IN NS srv0.ns.nxdomain.net.srv0.ns.nxdomain.net IN AAAA 2001:db8::1
abc IN A 192.0.2.1IN AAAA 2001:db8::3
zonens.nxdomain.netsrv0 IN AAAA 2001:db8::1srv1 IN A 192.0.2.3
IN AAAA 2001:db8::2
IPv6-only!
1– querydotnxdomain.net forexperiment.dotnxdomain.netanswer:NSsrv1.ns.nxdomain.net
2– querynxdomain.net forsrv1.ns.nxdomain.netanswer:NSsrv0.ns.nxdomain.net(AAAAGlue)
3- queryns.nxdomain.net forsrv1.ns.nxdomain.netanswer:Aforsrv1.ns.nxdomain.net
4– queryexperiment.dotnxdomain.net forexperiment.dotnxdomain.net
A resolver will only query the “child” if it was able to use IPv6 transport to resolve the child zone name server name
That way we can identify dual-stack resolvers
Themeasurement
• TheAdcampaignranacrossJuly- August2016runningbetween5Mand10Madsperday• Wecollectedsome400MresultsspanningmostoftheInternet
“Visible”ResolverTotals
345,394 uniqueresolversaskedtheauth serverforthe“parent”zone
268,218 oftheseresolversappeartobeV4only(didnotposetheIPv6querytothe“sibling”server)
59,372 resolversaskedthe“parent”queryusingIPv4,andaskedthe“sibling”queryusingIPv6
77,812 resolversintotalqueriedtheparent,siblingandchildservers
i.e.some22% ofvisibleresolversarecapableofusingIPv6tomakeDNSqueries
“Visible”Resolvers
22% ofvisibleresponsearecapableofperformingqueriesusingIPv6transport
Butmaybethereisadifferencebetweencountingresolversandcountingtheuserswhouseresolvers
i.e.whatdifferencesexistwhenlookingattheintensityofuseofindividualresolvers?
Allresolversmightbeequal,butsomeresolversaremoreequalthanothers!
8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments
IPv6UsageResultsbyQuery
194M uniqueexperimentidsaskedtheauth serverforthe“parent”zone
122M(63%)didNOTaskthe“sibling”serverfortheNSzoneusingIPv6
2.9M (1.5%) didNOTaskthe“child”serverforthetargetname
68.5M(35%) appearedtocompletetheDNSresolutiontask
i.e.some35% ofexperimentswereabletouseIPv6toresolveaDNSname
IPv6UsageResults
• Whilesome22%ofvisibleresolversareIPv6-capable,itappearsthataround35%ofusersdirectthesequeriestotheseIPv6-capableresolvers• WhilethisisvisibleusinganIPv6-onlyglueserver,whatisthequeryprofilewhenweuseaDualStackserver?• i.e.DoDualStackcapableDNSresolversprefertouseoneprotocolortheother?
V6CapablevsV6Preference25%ofexperimentspassqueriestoresolverswhoareIPv6capable
Outof3,113MqueriesmadeinthisexperimenttotheDualStack”parent”server,some352MquerieswereoverIPv6
i.e.11% ofquerysequencespassqueriestoresolverswhoareDualStackcapable
Ifthechoiceofprotocolwasrandom,thenthisnumberwouldbe17%,sothisdatasuggeststhatthereissomeslightinherentbiasinprotocolselectiontouseIPv4byresolverswhentheserverisadvertisingDualStackreachability
Thismaybeduetothelocalselectionofresolvers,whereausermaybeconfiguredwithIPv4-onlyanddual-stackrecursiveresolvers
Whichresolversaretheyusing?Top25VisibleIPv6-capableresolvers,groupedbyOriginAS,rankedbyrelativeusebyendusers
AS1516931.9%GOOGLE- GoogleInc.,USUnitedStatesofAmericaAS701813.5%ATT-INTERNET4- AT&TServices,Inc.,USUnitedStatesofAmericaAS792211.5%COMCAST-7922- ComcastCableCommunications,LLC,USUnitedStatesofAmericaAS366923.4%OPENDNS- OpenDNS,LLC,USUnitedStatesofAmericaAS81512.7%Uninet S.A.deC.V.,MXMexicoAS176762.4%GIGAINFRASoftbankBBCorp.,JPJapanAS41341.7%CHINANET-BACKBONENo.31,Jin-rongStreet,CNChinaAS285731.6%CLAROS.A.,BRBrazilAS94981.6%BBIL-APBHARTIAirtelLtd.,INIndiaAS33201.4%DTAGInternetserviceprovideroperations,DEGermanyAS25161.2%KDDIKDDICORPORATION,JPJapanAS61471.1%TelefonicadelPeruS.A.A.,PEPeruAS188811.0%TELEFONICABRASILS.A,BRBrazilAS227731.0%ASN-CXA-ALL-CCI-22773-RDC- CoxCommunicationsInc.,USUnitedStatesofAmericaAS558361.0%RELIANCEJIO-INRelianceJio Infocomm Limited,INIndiaAS556440.9%IDEANET1-INIdeaCellularLimited,INIndiaAS67130.9%IAM-AS,MAMoroccoAS47130.9%OCNNTTCommunicationsCorporation,JPJapanAS61280.9%CABLE-NET-1- Cablevision SystemsCorp.,USUnited States ofAmericaAS201150.8%CHARTER-NET-HKY-NC- CharterCommunications,USUnited States ofAmericaAS33520.8%TELEFONICA_DE_ESPANA,ESSpainAS8520.8%ASN852- TELUSCommunicationsInc.,CACanadaAS223940.5%CELLCO- Cellco PartnershipDBAVerizon Wireless,USUnited States ofAmericaAS67990.5%OTENET-GRAthens - Greece,GRGreeceAS155570.4%LDCOMNET,FRFrance
Awordofcaution
• AddingIPv6toaresolverisnotwithoutitselementofriskintermsofresolutionperformance• TheproblemliesintheissueswithlargeDNSresponses,IPv6fragmentationandIPv6Extensionheaderhandling• DroppedIPv6responsescauseresolvertimeoutstriggeringre-queries,extendingresolutiontime
IPv6ResponseReliability
• Inthecontextofthe“glueless”setup,theresolverwillqueryforthetargetnameifandonlyifitcanreceivearesponsetotheIPv6-onlyqueryfortheaddressoftheNSname• Wetested3NSresponsesizes:361,1156and1425octetresponses• WeusedalocalMTUsettingof1500octets,reducingthelevelofsource-initiatedIPv6fragmentation
IPv6FailureBehaviours
RepeatedquerieswithlargeEDNS0buffersize• IndicativeoftheresolverunabletoreceivetheIPv6response
RepeatedquerieswithnoEDNS0buffersize• WheretheUDPresponseisaTruncatedDNSpayload.ThisisindicativeofeitherbeingunabletoreceivetheIPv6DNSresponseorbeingunabletoinitiateaTCPsession
CompletionRate
WhatproportionofexperimentscompletedtheIPv6NSlookasideoperationaftermakingaquerytothe“sibling”NameServerbymakingaquerytothetargetname?
Sizecompletion/siblinglookupRate361:68M/71M96%1125:68M/71M96%1425:68M/71M96%
We used a local MTU setting of 1500 octets!
IPv6andtheDNS?
Inresolutioninfrastructureweseemtobefurtheralongthetransitionthantheweb:35%ofuserspasstheirqueriestoresolversthatarecapableofusingIPv6,andabouthalfofthatshowapreferenceforusingIPv6
Intermsofreliability,aslongasyoutakesomecareintheconfiguration*,thisshouldbejustfine!
TryandavoidIPv6fragmentationbyusingalocalUDPMTUsizeof1500octets,andensurethattherearenolocalICMP6filtersAtthesametimeuseanIPv6TCPMSSsizeof1220octetstoavoidPTMUblackholing
*
Thanks!