Posted on by admins@dnswl.org

Improving dnswl.org IPv6 support

dnswl.org has gradually improved the level of IPv6 support over the past months. The easy part is offering services over IPv6:

  • Most public websites are accessible over IPv6 (since well over a year)
  • Incoming and outgoing mails may pass through IPv6
  • Nameservers for both the dnswl.org and list.dnswl.org zones have a healthy mix of IPv4 and IPv6 (and georedundancy etc)
  • Monitoring adapted to include (hopefully) all services which are also offered over IPv6
  • As a general rule, and wherever available, internal communication between dnswl.org servers happens over IPv6

A bit more work was to enable our internal data handling systems to support IPv6:

  • Database: the main driver for the move to Postgres was it’s stellar support for IPv4 and IPv6 address calculations/storage/manipulation. The migration gave us instant IPv6 support in many important areas (>> 1 year ago).
  • GUI tools: Our internal admin tools had to be adapted in order to display and parse IPv6 addresses (eg screen real estate, validation rules etc)
  • Log collection and parsing tools: Most of our log parsing has been improved to accept IPv4 and IPv6. While the tools have been updated, they have not been rolled out to all list.dnswl.org mirrors yet. Sufficiently performance for log collection by sniffing on network interface requires some advanced IP packet trickery in Perl 🙂

Work in progress:

  • DNSxL for IPv6 queries has only been defined in RFC 5782 basically identical to IPv4. This is considered a risk, as the vast IPv6 space may lead to amplified DDoS attacks on DNS cache infrastructure. We therefore have some trials for “DNS tree walking”, in addition to the “naive” RFC5782-way. The implications of this will be subject to a separate posting.
  • As the query format has not been sufficiently stabilized yet, we do not yet collect statistics about query content (from which we eg identify new mailservers) to IPv6.
  • Some of our export formats (eg for SpamAssassin) now also include IPv6 addresses.
  • Rsync access for subscribers only runs on IPv4. We may gradually start to add AAAA addresses to the rsync hostname in the near future. We are not yet sure whether this will negatively impact subscribers.

What’s next?

Overall, the amount of traffic over IPv6 is minimal, but we do believe that this will significantly grow over time. All new services will be designed to support both IPv4 and IPv6 from the start, and the few remaining services will either be upgraded or discontinued. Eventually IPv6 is becoming the standard, and IPv4 the after-thought.