How Many RIPE Atlas Probes Can Resolve IPv6-only Domain Names?
Note that this is a different issue than the one explored in the article on the IPv6 connectivity of the probes. Here, we are interested in the IPv6 connectivity of the probe's resolvers, which can be quite different. Some probes use a local resolver, some use the resolver of the Internet Access Provider (IAP) and some rely on a very remote public resolver such as OpenDNS or Google Public DNS. How does the probe choose? There is no DNS Router Advertisement (RA) (see RFC 6106) or DHCPv6 client (see RFC 3315) in the probe. Although there is a way for the probe host to hardcode a DNS resolver in the probe, the most common way for a RIPE Atlas probe to know its resolver is through DHCPv4 on its local network.
Note also that it would be dangerous to infer anything about the general population of Internet users: RIPE Atlas probes are not distributed randomly, they are often in "geeky" networks and therefore have probably access to more IPv6-ready resolvers than the general public.
% dig +short NS ipv6.1149.fr
% dig +short A ipv6onlyns.1149.fr.
% dig +short AAAA ipv6onlyns.1149.fr.
If we query such a name through a resolver (in this case we used OARC's ODVR), we can see if the resolver has IPv6 connectivity (it's the case here) or not:
% dig +short @126.96.36.199 SOA ipv6.1149.fr
ipv6onlyns.1149.fr. sysadmin.1149.fr. 2013112701 3600 15 604800 3600
Note that this is completely independent of the protocol family (IPv4 or IPv6) that we use to reach the resolver (except in some unusual setups where the service IP address of the resolver is used to route to some specific data centers, with different connectivity).
What happens to a resolver with only IPv4 connectivity? Since it cannot reach the authoritative name servers of the zone, we get a SERVFAIL return code :
% dig @188.8.131.52 SOA droneaud.org
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @184.108.40.206 SOA droneaud.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8306
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;droneaud.org. IN SOA
;; Query time: 1007 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Tue Dec 24 09:34:03 2013
;; MSG SIZE rcvd: 41
First, we're showing the results of the measurements to well-known domains. We assume that those are stable and well-reachable, at least over IPv4:
- Measurement #1402381, for instance, queries ietf.org. The success rate is 98 % (it is never 100 %, some probes have temporary or permanent DNS issues).
- Measurement #1402382 tries amazon.com, and gets the same result (note one lying resolver, redirecting Amazon customers to unostructure.com: it has been counted as a failure).
- Some domains have a lower success rate, like impots.gouv.fr (official tax Web site), tested by #1402384 at a success rate of 96 %.
Secondly, we're showing measurement results to domains that are IPv6-only and therefore can only be resolved by some resolvers. Those are the domains we were interested in in our research:
- #1402371 measures ipv6.1149.fr, a domain with only one name server. The success rate is 61 %.
- #1402372 measures v6ns.test-ipv6.com which also has a success rate of 61 %.
- Unlike the previous two domains, droneaud.org, used in measurement #1402374, has two name servers which might explain a better success rate of 67 %.
As expected, the success rate with IPv6-only domain names (around two thirds) is much lower than with "mixed" domain names. We are not yet ready to switch off IPv4. If you serve a domain name only on IPv6 name servers, you will get less traffic (and probably less spam, too).
Nevertheless, one can notice that the success rate in resolving these IPv6-only domain names is higher than the number of probes having IPv6 connectivity. So, we can say that the typical DNS resolver is more IPv6-enabled than its clients.
Was it only a funny test for bored engineers? The practical importance of this test is that, for DNS, you need public IP addresses, a scarce resource in IPv4, and you cannot rely on names. So, the ability to resolve IPv6-only name servers, which have apparently not been measured before, is an important metric to monitor in the future.