Imagine a level-2 domain where some (albeit not all) NSes haven’t any A record but have AAAA instead. In other words, some NSes are accessible via IPv6 only. Ī mean, something like:

@         IN    SOA     example.net. root.example.net.
;
@         IN    NS      commercial.DNS.example.
@         IN    NS      homebrew
homebrew  IN    AAAA    2001:db8::c001:5eff
service   IN    A       198.51.100.3
service   IN    AAAA    2001:db8::c000:0001

  • Which (if any) public TLDs permit for such subdomain configuration?

  • Will a significant portion of DNS queries, pertaining to the domain, be served by IPv6-only servers?

  • How accessible (from the Internet) will the domain be if all IPv4 NSes went offline but IPv6-only ones continued?

Or, to make a conclusion, is a IPv6-only NS anywhere better than not having such NS at all? All questions consider nowadays (as of 2015) Internet.

share|edit|delete|flag

put on hold as too broad by EEAA, Hyppy, Nathan C, Jenny D, Sven 15 hours ago

There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs. If this question can be reworded to fit the rules in the help center, please edit your question.

   upvote
  flag
While I appreciate the skillful use of RFC-approved documentation addresses and names, I'm not seeing what the actual problem is. This can't really be answered. For example, the number of DNS requests you receive is going to be based on how many people are requesting DNS records. –  Hyppy 16 hours ago
    
@Hyppy: Ī clarified my second question. –  Incnis Mrsi 16 hours ago  
1 upvote
  flag
I'm starting to think this is a homework question. –  Hyppy 16 hours ago
    
@Hyppy: because Ī demonstrated a suspicious (for a random Internet loiterer) skill in writing documentation-like texts? This will shed light to this mysterious phenomenon, for you. –  Incnis Mrsi 15 hours ago  
1 upvote
  flag
No, the reason is because StackExchange is used for looking for solutions to a particular problem rather than asking for opinions on a generic question. While it's a good question, it's not really suitable in our Q&A format. –  Nathan C 15 hours ago
   upvote
  flag
I don't think this sounds like a homework question. It sounds like a sysadmin that has been asked to solve one of those odd-ball operational problems that crops up. –  TomOnTime 13 hours ago

3 Answers 3

Which (if any) public TLDs permit for such subdomain configuration?

They all should. However some registrars may prevent it due to restrictions in their web UIs. You should consider this a bug and complain. It would be useful if you reported any registrars you find doing this.

How many DNS requests, pertaining to the domain, will be served by IPv6-only servers?

Most DNS servers that are configured for IPv6, filter out any AAAA records if the request came from IPv4. This is done as a precaution so that misconfigured IPv4-only hosts don't try to connect via AAAA. In other words, if a host is able to reach the DNS server via IPv6, then it is safe to tell the user to connect via IPv6 too. Sites like Google did this when they enabled IPv6; I'm not sure if they've stopped doing it since "World IPv6 Day".

How accessible (from the Internet) will the domain be if all IPv4 NSes went offline but IPv6-only ones continued?

I don't know. In theory, some DNS servers may be doing their queries under IPv6, but most likely very few. However I can suggest a test that would help you predict the answer.

If I was going to make a change like this, first I would set up an experiment to test the above hypothesis. For example, set up 2 NS records each with one A record and one AAAA record. Run in this configuration for a week, keeping logs of the requests you get. Calculate what % of IPv6 traffic you get. Calculate what % of queries were received via IPv6 but produced answers that did not include AAAA records.

I would do this test no matter what. There are too many ambiguities in how ISPs configure their DNS servers.

share|edit|flag
   upvote
  flag
The claim that Most DNS servers that are configured for IPv6, filter out any AAAA records if the request came from IPv4. sounds dubious. The authoritative DNS server cannot know the IP address of the client (unless a non-standard extension is agreed upon between recursor and authoritative), which makes such filtering on authoritative DNS servers mostly impossible. Such filtering on recursive resolvers would be possible, but a violation of the protocol and likely to cause more breakage than it fixes. –  kasperd 9 hours ago
   upvote
  flag
Additionally the claim that Sites like Google did this when they enabled IPv6 is dubious since Google still does not have IPv6 support on their authoritative servers. So every query they receive will come in over IPv4. –  kasperd 9 hours ago
   upvote
  flag
I may be misremembering it. Google certainly did implement the whitelist. en.wikipedia.org/wiki/… The "delete AAAA records to IPv4 clients" thing may have been a brainstorm that was later rejected (or it was something done experimentally). however, the brokenness was real (cite: en.wikipedia.org/wiki/…) and until World IPv6 Day, ISPs did a lot of weird things to work around it. After IPv6 Day, the solution is to tell the client to fix themselves. –  TomOnTime 8 hours ago
   upvote
  flag
The brokenness was indeed real. It was mostly fixed around 2010. Google did indeed use a whitelist of resolvers which got to see AAAA records. That whitelist contained the IPv4 addresses of resolvers at ISPs with solid dual stack deployments. The whitelists were in use until mid 2012. –  kasperd 8 hours ago

What you're asking is largely opinion based, which isn't a good way to approach the problem. What you should be more concerned with are what the standards have to say. Considering the fact that nothing has emerged to obsolete BCP91, I think you would be best served by reading the document in full. Section 1 explains the problem in detail, but to avoid quoting the entire RFC here I'm going to skip ahead to the conclusions reached in section 4:

  1. DNS IPv6 Transport recommended Guidelines

    In order to preserve name space continuity, the following
    administrative policies are recommended:

    • every recursive name server SHOULD be either IPv4-only or dual stack,

      This rules out IPv6-only recursive servers. However, one might design configurations where a chain of IPv6-only name server forward queries to a set of dual stack recursive name server actually performing those recursive queries.

    • every DNS zone SHOULD be served by at least one IPv4-reachable authoritative name server.

      This rules out DNS zones served only by IPv6-only authoritative name servers.

    Note: zone validation processes SHOULD ensure that there is at least one IPv4 address record available for the name servers of any child delegations within the zone.

The word "SHOULD" is used here, so no one is explicitly forbidden from deviating away from this BCP, but it's still a really bad idea. Even if several MSOs have transitioned to making their DNS servers IPv6 enabled, the amount of traffic that you would be forfeiting from the internet is somewhat ludicrous. That's an opinion obviously, but consider this: Google's public DNS service does not communicate with IPv6 servers at all unless you submit a query over IPv6. The majority of traffic submitted to them is over IPv4, and the infrastructure responsible for those queries does not talk to IPv6 DNS servers.

If you need one iron clad reason for why this is a bad idea, there you have it. But the larger concern really should be "too many DNS servers won't talk to you for this to be a realistic design decision".

share|edit|flag
    
Well, nameservers of ISPs do recursion, they might be “dual stack”, and hence Ī expect them to query my hypothetical IPv6-only servers. Do you realize your lengthy quote does not address the question? By the way, why are you sure that my IPv6-only server will not have IPv4? Ī said it will not have A records, i.e. inaccessible via IPv4 from the Internet. It can have an IPv4 connection in LAN with a RFC-1918 address and, hence, perfectly can do recursion (for its local clients) via upstream NSes and/or NAT. –  Incnis Mrsi 15 hours ago  
   upvote
  flag
Not all ISPs currently do, and the Google example demonstrates that not all of those who are capable of doing so will. Creating an interoperability problem with clients who use Google's open IPv4 resolvers is tantamount to operator self-sabotage. As for not providing A records, I've already directed you toward reading the first section of BCP91. The quoted section is the conclusion reached: all DNS zones SHOULD have an IPv4 reachable nameserver (A record glue). You can argue the BCP if you like, but most professional DNS operators will not. –  Andrew B 15 hours ago
    
OK, thank you for explanations. –  Incnis Mrsi 15 hours ago  

All TLDs should support this, however for the near future having a DNS server with a v6 only address would have too many limitations.

share|edit|flag
    
Elaborate, please. List 2–3 concrete limitations. Otherwise it looks like an opinion, not an expert assessment. –  Incnis Mrsi 16 hours ago  
1
flag
 
@IncnisMrsi I don't think people here are going to do your homework for you. –  Nathan C 16 hours ago
   upvote
  flag
It is an opinion- from an expert- there is no set answer here –  Jim B 14 hours ago