I’ll conclude this week’s IPv6 saga with a fair question I’ve received several times during the last few days: “Where’s your AAAA record?” The snappy answer would be “if you can’t see it, your ISP is not ready for production-grade IPv6”; the reality is a bit more complex.
What’s going on behind the scenes
First of all, my infrastructure spans a bit more than a single host. My blog is hosted at Google (Blogger), my web site runs in a VM within the DMZ of my company (if I would be vapor-inclined, I would say it runs within the publicly-accessible part of our private cloud, but we prefer to call it HyperCenter), the ticketing system for my webinars is run by Eventbrite and the live session and recording delivery relies on Webex. There are also odd third-party bits-and-pieces, including JS-Kit (now Echo) commenting system, Google Analytics and jQuery libraries hosted at Google Code.
Lesson#1 – The infrastructure used by your web presence might be more complex than you realize. When doing an IPv6 readiness audit, make sure you cover all of the bits and pieces.
Blogger (and blog.ioshints.info) is reachable over IPv6, but only by those ISPs that participate in Google’s IPv6 Partner program (see the Supporting documentation section at the bottom of this post). The reason is very simple: global IPv6 connectivity is still not as reliable as the current IPv4 Internet due to heavy use of tunnels and isolated (usually accidental) IPv6 islands within enterprise networks. Recent research by Geoff Huston indicates that the IPv6 connections might fail up to 50 times more often than IPv4 connections. Anyone relying on satisfied visitors (including Google and myself) cannot simply risk losing the dual-stack visitors that might have working IPv4 connectivity and broken IPv6 connectivity.
The rules are clear: if a dual-stack client receives AAAA and A records in a DNS reply, it has to try the IPv6 address first. Apple is supposedly using a different algorithm and there’s the Happy Eyeballs draft, but I was only able to find an Erlang implementation (extremely useful for most of us, I guess).
However, nobody really knows how much damage would be done by enabling AAAA records for major web sites (like Google). The World IPv6 Day (June 8th) should answer that question – all the participating content providers will start advertising A and AAAA records for their web sites and measure the impact.
Lesson#2 – Don’t break your existing web presence by deploying IPv6
Having web sites with AAAA records definitely helps your IPv6 troubleshooting efforts (here’s a sample list you can use), but at the moment, it doesn’t matter much whether your web site is reachable over IPv6 from the visitor experience perspective (my personal opinion: there are fewer visitors that cannot get to my web site because they’re using IPv6-only client than there would be those would couldn’t get there because of broken dual-stack connectivity). However, deploying production-grade IPv6 in reasonably-sized enterprise edge and getting the mission-critical web applications IPv6-enabled takes anywhere from weeks to more than a year, so the time to start the education, auditing, budgeting and planning process is now, not in a year’s time.
Lesson#3 – we’re not yet in panic mode, but make sure you won’t wait long enough to land there.
Eating our own dog food
Those of you, who have participated in my Enterprise IPv6 – the first steps webinar (register here) or bought its recording, might remember the following list of steps you have to go through to get IPv6 deployed in your network edge:
- IPv6 readiness audit – from network devices to applications
- Get public (Provider Independent) address space
- Get IPv6 connectivity from your ISPs (all of them!)
- Pilot IPv6 project in a non-critical part of DMZ
This is how far we (NIL Data Communications) got so far:
Readiness audit. All devices in our DMZ are IPv6-ready, apart from Cisco’s load balancers and Cisco’s Ironport SMTP gateway, so our redundant web servers cannot be made redundant on the IPv6 side (the firewalls already are after Cisco fixed the failover bugs in ASA) and we have to use NAT64 to receive e-mail over IPv6 (thank you, Cisco, we really appreciate the opportunity to test the transitioning mechanisms!). Our IT doesn’t want to risk figuring out what happens if you enable IPv6 on Lotus Notes ;), so we use NAT64 to make those web servers that use the collaboration masterpiece from the previous millennium reachable over IPv6.
From my perspective, all the software I use for my web site (www.ioshints.info) is IPv6-ready and I even remembered to make the remoteIP column in the logging table in mySQL database supporting my Webinar Management System 40 characters long.
Get public address space. Done.
Get IPv6 connectivity. Done more than a year ago. We use native IPv6 multihoming with all upstream ISPs. You can also check what Eric Vyncke’s web site has to say about NIL (scroll down; we’re somewhere near the bottom of the list).
Pilot IPv6 project in your DMZ. Done. Our web servers are reachable over IPv6 as www6.nil.com.
Getting more information
The first steps you have to make when considering IPv6 deployment in your enterprise network are described in my Enterprise IPv6 – the first steps webinar (buy the recording or register for an online session).
NIL is not part of Google’s IPv6 Partner Program, so the DNS query run through our web server returns the following results:
$ dig blog.ioshints.info ; <<>> DiG 9.3.3rc2 <<>> blog.ioshints.info ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40842 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;blog.ioshints.info. IN A ;; ANSWER SECTION: blog.ioshints.info. 78275 IN CNAME ghs.google.com. ghs.google.com. 78275 IN CNAME ghs.l.google.com. ghs.l.google.com. 269 IN A 188.8.131.52 ;; Query time: 3 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ;; WHEN: Fri Mar 18 10:45:16 2011 ;; MSG SIZE rcvd: 100
However, ARNES (Slovenian academic network) does participate in the program and my friend Matjaž (their IPv6 guru) was kind enough to run the dig query for me verifying that he can reach blog.ioshints.info over IPv6:
$ dig AAAA blog.ioshints.info ; <<>> DiG 9.6.0-APPLE-P2 <<>> AAAA blog.ioshints.info ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50197 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;blog.ioshints.info. IN AAAA ;; ANSWER SECTION: blog.ioshints.info. 31577 IN CNAME ghs.google.com. ghs.google.com. 437045 IN CNAME ghs.l.google.com. ghs.l.google.com. 26 IN AAAA 2a00:1450:8004::79 ;; AUTHORITY SECTION: google.com. 177852 IN NS ns2.google.com. google.com. 177852 IN NS ns4.google.com. google.com. 177852 IN NS ns3.google.com. google.com. 177852 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 178060 IN A 18.104.22.168 ns2.google.com. 178060 IN A 22.214.171.124 ns3.google.com. 178060 IN A 126.96.36.199 ns4.google.com. 178060 IN A 188.8.131.52 ;; Query time: 4 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ;; WHEN: Fri Mar 18 09:29:10 2011 ;; MSG SIZE rcvd: 248