Each RIPE Atlas probe has at least one DNS resolver, indicated by a DHCP reply on the local network of the probe. Irrespective of the IP address of the resolver, this server may have IPv4 and IPv6 connectivity or only IPv4 connectivity. What is the percentage among RIPE Atlas probes?
Caveats
Note that this is a different issue than the one explored in the article on the IPv6 connectivity of the probes . Here, we are interested in the IPv6 connectivity of the probe's resolvers, which can be quite different. Some probes use a local resolver, some use the resolver of the Internet Access Provider (IAP) and some rely on a very remote public resolver such as OpenDNS or Google Public DNS. How does the probe choose? There is no DNS Router Advertisement (RA) (see RFC 6106 ) or DHCPv6 client (see RFC 3315 ) in the probe. Although there is a way for the probe host to hardcode a DNS resolver in the probe, the most common way for a RIPE Atlas probe to know its resolver is through DHCPv4 on its local network.
Note also that it would be dangerous to infer anything about the general population of Internet users: RIPE Atlas probes are not distributed randomly, they are often in "geeky" networks and therefore have probably access to more IPv6-ready resolvers than the general public.
Methodology
How do we measure? We ask probes to resolve several names, using the probe's resolver (choose option "use_probe_resolver" in the API ). Some of the names we test are well-known names, served by several authoritative name servers, both IPv4 and IPv6. They are used as a reference, to see if some probes have general DNS resolution problems. Other names are served only by IPv6 name servers. Let's use, as an example, ipv6.1149.fr. It has only one name server, which has only one IP address, an IPv6 one. See the dig results below:
% dig +short NS ipv6.1149.fr
ipv6onlyns.1149.fr.
% dig +short A ipv6onlyns.1149.fr.
% dig +short AAAA ipv6onlyns.1149.fr.
2001:470:b519:1:5054:ff:fe59:353
If we query such a name through a resolver (in this case we used OARC's ODVR ), we can see if the resolver has IPv6 connectivity (it's the case here) or not:
% dig +short @149.20.64.20 SOA ipv6.1149.fr
ipv6onlyns.1149.fr. sysadmin.1149.fr. 2013112701 3600 15 604800 3600
Note that this is completely independent of the protocol family (IPv4 or IPv6) that we use to reach the resolver (except in some unusual setups where the service IP address of the resolver is used to route to some specific data centers, with different connectivity).
What happens to a resolver with only IPv4 connectivity? Since it cannot reach the authoritative name servers of the zone, we get a SERVFAIL return code :
% dig @208.67.222.220 SOA droneaud.org
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @208.67.222.220 SOA droneaud.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8306
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;droneaud.org. IN SOA
;; Query time: 1007 msec
;; SERVER: 208.67.222.220#53(208.67.222.220)
;; WHEN: Tue Dec 24 09:34:03 2013
;; MSG SIZE rcvd: 41
The measurements done here are started through the RIPE Atlas API , using the Python program resolve-name.py, available in the Github community repository .
Results
First, we're showing the results of the measurements to well-known domains. We assume that those are stable and well-reachable, at least over IPv4:
- Measurement #1402381, for instance, queries ietf.org. The success rate is 98 % (it is never 100 %, some probes have temporary or permanent DNS issues).
- Measurement #1402382 tries amazon.com, and gets the same result (note one lying resolver, redirecting Amazon customers to unostructure.com: it has been counted as a failure).
- Some domains have a lower success rate, like impots.gouv.fr (official tax Web site), tested by #1402384 at a success rate of 96 %.
Secondly, we're showing measurement results to domains that are IPv6-only and therefore can only be resolved by some resolvers. Those are the domains we were interested in in our research:
- #1402371 measures ipv6.1149.fr, a domain with only one name server. The success rate is 61 %.
- #1402372 measures v6ns.test-ipv6.com which also has a success rate of 61 %.
- Unlike the previous two domains, droneaud.org, used in measurement #1402374, has two name servers which might explain a better success rate of 67 %.
Conclusion
As expected, the success rate with IPv6-only domain names (around two thirds) is much lower than with "mixed" domain names. We are not yet ready to switch off IPv4 . If you serve a domain name only on IPv6 name servers, you will get less traffic (and probably less spam, too).
Nevertheless, one can notice that the success rate in resolving these IPv6-only domain names is higher than the number of probes having IPv6 connectivity. So, we can say that the typical DNS resolver is more IPv6-enabled than its clients.
Was it only a funny test for bored engineers? The practical importance of this test is that, for DNS, you need public IP addresses, a scarce resource in IPv4, and you cannot rely on names. So, the ability to resolve IPv6-only name servers, which have apparently not been measured before, is an important metric to monitor in the future.
Comments 4
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Freek Dijkstra •
Very nice test! The 67% success rate is actually higher than I expected, though of course still not enough. About once a year I give a short colloquium to System and Network Engineering students at a local university. Two years ago I started a little challenge: drop me an email. The first year I used a IDN email address. Previous year I had a IDN on a IPv6-only name server. They surprised me by sending me an email in 2 minutes. This year the email address will be <√9@3.14π.eu>. Feel free to try yourself, though unfortunately readers of this blog only receive my congratulations. Last years, the fastest student got an IPv6 buddy (ipv6buddy.com) At least it makes them aware of stuff like this!
Frank Bulk •
Here's another IPv6-only domain -- onlyv6.com
Stéphane Bortzmeyer •
onlyv6.com has three name servers (good). Its success rate (measurement #1414846), as expected, is 67 %.
Stéphane Bortzmeyer •
Now that there are automatic (system) tags (they did not existed at the time of my article), the proper solution is to include only probes with tag system-ipv6-works. See the difference: % python reachability+retrieve.py -r 100 -t 1 2001:4b98:dc2:45:216:3eff:fe4b:8c5b 93 probes reported Test done at 2015-12-11T15:12:51Z Tests: 86 successful tests (92.5 %), 2 errors (2.2 %), 5 timeouts (5.4 %), average RTT: 86 ms % python reachability+retrieve.py -r 100 -t 1 --include system-ipv6-works 2001:4b98:dc2:45:216:3eff:fe4b:8c5b 99 probes reported Test done at 2015-12-11T15:14:25Z Tests: 98 successful tests (99.0 %), 0 errors (0.0 %), 1 timeouts (1.0 %), average RTT: 86 ms