Where’s my AAAA record?

I’ll conclude this week’s IPv6 saga with a fair question I’ve received several times during the last few days: “Where’s your AAAA record?” The snappy answer would be “if you can’t see it, your ISP is not ready for production-grade IPv6”; the reality is a bit more complex.

What’s going on behind the scenes

First of all, my infrastructure spans a bit more than a single host. My blog is hosted at Google (Blogger), my web site runs in a VM within the DMZ of my company (if I would be vapor-inclined, I would say it runs within the publicly-accessible part of our private cloud, but we prefer to call it HyperCenter), the ticketing system for my webinars is run by Eventbrite and the live session and recording delivery relies on Webex. There are also odd third-party bits-and-pieces, including JS-Kit (now Echo) commenting system, Google Analytics and jQuery libraries hosted at Google Code.

Lesson#1 – The infrastructure used by your web presence might be more complex than you realize. When doing an IPv6 readiness audit, make sure you cover all of the bits and pieces.

Blogger (and blog.ioshints.info) is reachable over IPv6, but only by those ISPs that participate in Google’s IPv6 Partner program (see the Supporting documentation section at the bottom of this post). The reason is very simple: global IPv6 connectivity is still not as reliable as the current IPv4 Internet due to heavy use of tunnels and isolated (usually accidental) IPv6 islands within enterprise networks. Recent research by Geoff Huston indicates that the IPv6 connections might fail up to 50 times more often than IPv4 connections. Anyone relying on satisfied visitors (including Google and myself) cannot simply risk losing the dual-stack visitors that might have working IPv4 connectivity and broken IPv6 connectivity.

The rules are clear: if a dual-stack client receives AAAA and A records in a DNS reply, it has to try the IPv6 address first. Apple is supposedly using a different algorithm and there’s the Happy Eyeballs draft, but I was only able to find an Erlang implementation (extremely useful for most of us, I guess).

However, nobody really knows how much damage would be done by enabling AAAA records for major web sites (like Google). The World IPv6 Day (June 8th) should answer that question – all the participating content providers will start advertising A and AAAA records for their web sites and measure the impact.

Lesson#2 – Don’t break your existing web presence by deploying IPv6

Having web sites with AAAA records definitely helps your IPv6 troubleshooting efforts (here’s a sample list you can use), but at the moment, it doesn’t matter much whether your web site is reachable over IPv6 from the visitor experience perspective (my personal opinion: there are fewer visitors that cannot get to my web site because they’re using IPv6-only client than there would be those would couldn’t get there because of broken dual-stack connectivity). However, deploying production-grade IPv6 in reasonably-sized enterprise edge and getting the mission-critical web applications IPv6-enabled takes anywhere from weeks to more than a year, so the time to start the education, auditing, budgeting and planning process is now, not in a year’s time.

Lesson#3 – we’re not yet in panic mode, but make sure you won’t wait long enough to land there.

Eating our own dog food

Those of you, who have participated in my Enterprise IPv6 – the first steps webinar (register here) or bought its recording, might remember the following list of steps you have to go through to get IPv6 deployed in your network edge:

  • IPv6 readiness audit – from network devices to applications
  • Get public (Provider Independent) address space
  • Get IPv6 connectivity from your ISPs (all of them!)
  • Pilot IPv6 project in a non-critical part of DMZ

This is how far we (NIL Data Communications) got so far:

Readiness audit. All devices in our DMZ are IPv6-ready, apart from Cisco’s load balancers and Cisco’s Ironport SMTP gateway, so our redundant web servers cannot be made redundant on the IPv6 side (the firewalls already are after Cisco fixed the failover bugs in ASA) and we have to use NAT64 to receive e-mail over IPv6 (thank you, Cisco, we really appreciate the opportunity to test the transitioning mechanisms!). Our IT doesn’t want to risk figuring out what happens if you enable IPv6 on Lotus Notes ;), so we use NAT64 to make those web servers that use the collaboration masterpiece from the previous millennium reachable over IPv6.

From my perspective, all the software I use for my web site (www.ioshints.info) is IPv6-ready and I even remembered to make the remoteIP column in the logging table in mySQL database supporting my Webinar Management System 40 characters long.

Get public address space. Done.

Get IPv6 connectivity. Done more than a year ago. We use native IPv6 multihoming with all upstream ISPs. You can also check what Eric Vyncke’s web site has to say about NIL (scroll down; we’re somewhere near the bottom of the list).

Pilot IPv6 project in your DMZ. Done. Our web servers are reachable over IPv6 as www6.nil.com.

Getting more information

The first steps you have to make when considering IPv6 deployment in your enterprise network are described in my Enterprise IPv6 – the first steps webinar (buy the recording or register for an online session).

Supporting documentation

NIL is not part of Google’s IPv6 Partner Program, so the DNS query run through our web server returns the following results:

$ dig blog.ioshints.info

; <<>> DiG 9.3.3rc2 <<>> blog.ioshints.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40842
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blog.ioshints.info.            IN      A

;; ANSWER SECTION:
blog.ioshints.info.     78275   IN      CNAME   ghs.google.com.
ghs.google.com.         78275   IN      CNAME   ghs.l.google.com.
ghs.l.google.com.       269     IN      A       74.125.77.121

;; Query time: 3 msec
;; SERVER: 193.77.3.94#53(193.77.3.94)
;; WHEN: Fri Mar 18 10:45:16 2011
;; MSG SIZE  rcvd: 100

However, ARNES (Slovenian academic network) does participate in the program and my friend MatjaĆŸ (their IPv6 guru) was kind enough to run the dig query for me verifying that he can reach blog.ioshints.info over IPv6:

$ dig AAAA blog.ioshints.info

; <<>> DiG 9.6.0-APPLE-P2 <<>> AAAA blog.ioshints.info ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50197 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;blog.ioshints.info.            IN      AAAA

;; ANSWER SECTION:
blog.ioshints.info.     31577   IN      CNAME   ghs.google.com.
ghs.google.com.         437045  IN      CNAME   ghs.l.google.com.
ghs.l.google.com.       26      IN      AAAA    2a00:1450:8004::79

;; AUTHORITY SECTION:
google.com.             177852  IN      NS      ns2.google.com.
google.com.             177852  IN      NS      ns4.google.com.
google.com.             177852  IN      NS      ns3.google.com.
google.com.             177852  IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         178060  IN      A       216.239.32.10
ns2.google.com.         178060  IN      A       216.239.34.10
ns3.google.com.         178060  IN      A       216.239.36.10
ns4.google.com.         178060  IN      A       216.239.38.10

;; Query time: 4 msec
;; SERVER: 193.2.1.72#53(193.2.1.72)
;; WHEN: Fri Mar 18 09:29:10 2011
;; MSG SIZE  rcvd: 248

7 comments:

  1. Works fine via IPv6 here. I'm in the UK, connected to the internet via AAISP. They have been part of Google's IPv6 readyness program for some time now.

    This is from my Win7 desktop:

    ping blog.ioshints.info

    Pinging ghs.l.google.com [2a00:1450:8001::79] with 32 bytes of data:
    Reply from 2a00:1450:8001::79: time=23ms
    Reply from 2a00:1450:8001::79: time=23ms

    ReplyDelete
  2. When it comes to testing google IPv6 it's worth nothing that hurricane electric has publicly accessible servers that are in the google whitelist - ordns.he.net is one.

    ReplyDelete
  3. Ivan Pepelnjak18 March, 2011 16:33

    Cool. Thank you!

    ReplyDelete
  4. Cool, I do believe that's the first IPv6 windows cmd ping I've seen, something tells me I'll see a lot more before I retire!

    ReplyDelete
  5. Now that that the trial is in place, when does NIL plan to add AAAA to its host names?

    ReplyDelete
  6. When trying this via an ipv6 enabled host I get this:

    -bash-3.2# dig AAAA blog.ioshints.info

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> AAAA blog.ioshints.info
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11588
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;blog.ioshints.info. IN AAAA

    ;; ANSWER SECTION:
    blog.ioshints.info. 43032 IN CNAME ghs.google.com.
    ghs.google.com. 5129 IN CNAME ghs.l.google.com.

    ;; AUTHORITY SECTION:
    l.google.com. 62 IN SOA ns3.google.com. dns-admin.google.com. 1445147 900 900 1800 60

    ;; Query time: 164 msec
    ;; SERVER: 4.2.2.1#53(4.2.2.1)
    ;; WHEN: Sun Mar 20 11:08:10 2011
    ;; MSG SIZE rcvd: 134



    no ipv6 address is visible....

    ReplyDelete
  7. Ivan Pepelnjak21 March, 2011 20:02

    Checked with our IT - we will participate in the Wolrd IPv6 Day (June 8th), so you'll see our AAAA records at latest in June.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.