IPv6 addresses on content DNS servers?


#1

I’ve recently started dipping my toes in the IPv6 water, enabling my VM’s IPv6 allocation from Bytemark and also getting an IPv6 tunnel from he.net for use at home. Everything seems to be going well so far, and Bytemark have been very helpful.

I’ve been working through the he.net IPv6 certification programme, and have hit a block. The next stage for me requires that my domain’s DNS servers are reachable via IPv6. But “my” DNS servers are the Bytemark content DNS servers, a.ns.bytemark.co.uk etc. These seem to only have IPv4 addresses. Is there a plan or a timescale to get these DNS servers IPv6-enabled, please?

(I see Thorsten Fischer asked this a year or so ago, I’m wondering if there’s been any progress…)

Cheers,
Dave


#2

This was asked about in the lobby chat yesterday too.

We’ve had a few internal discussions about this too. Essentially it boils down to the fact that we’re currently a bit concerned to add IPv6 glue records for a,b,c.ns.bytemark.co.uk in case there are ISPs out there with broken IPv6 connections to their caching nameservers. If we added IPv6 glue records to our nameservers, potentially we’d break resolution for customers with these ISPs, for all our customers whose domains are delegated to our nameservers.

However, there are work-arounds for this, but we’re not sure which way we’re going to jump yet.

Best wishes,

Patrick


#3

That’s fair enough - and thanks for letting us know it’s under consideration.

Maybe you could add the records just for World IPv6 Day? http://isoc.org/wp/worldipv6day/ :slight_smile:

Cheers,
Dave


#4

One possible temporary solution could be to enable it on one of the servers. That would enable v6-only access while still enabling broken servers to talk to the other two…


#5

We’re getting here slowly… :slight_smile:


#6

Any further updates on this?

Would it be possible to operate parallel names at {a,b,c}.ns6.bytemark.co.uk which have both v4 and v6 addresses, for the benefit of those of us who want to run the risk?


#7

Now that we’ve had IPv6 Launch Day yesterday, is there any further progress on this?


#8

Not really related, but…
Yesterday I decided to log IPv6 traffic to my servers. I discovered a lot of destination port 135 activity, a little on port 136: this all appeared to be between the server and Bytemark IP addresses (router?)
What I did not expect is quite a lot of traffic on port 123 with an OVH hosted IP address. Also the occasional OUTPUT on port 80 to a Debian IP address - security scan (which did not get a response).
Advice out there is to set up firewalls to DROP all IPv6 traffic if the server is not using IPv6. I am not using Bytemark for DNS and my DNS service does not yet offer IPv6 (or, if it does, they hide it well).
Does anyone have a default ip6tables script which blocks everything necessary until such time as the UK catches up on IPv6? - part of me does not want to DROP everything in case my IP address is suddenly converted from IPv4 to IP46 and I can no longer access the server.


#9

https://www.mythic-beasts.com/ipv6/health-check?domain=bytemark.co.uk&submit=Test#test-details-nameserver-glue suggests that there are now glue records for bytemark’s nameservers, is that correct?