andrew.mcmillan.net.nz
cd /var/www; more /dev/rant >>index.html
about  blog  repository  heather  gallery
 
projects


tags
CalDAV Catalyst DAViCal Debian Family FOSS Howto Humour installs ipv6 Kids lca moodle Music N770 Programming Rants RSCDS Travel Ubuntu Web


Recent comments


 
Home
IPv6 Burninating all the Peasants

A recent thread which started on the Debian Release mailing list caught my eye this week. I attempted to aid the migration of this thread to the debian-ipv6 mailing list, which is really a better place for this and sorely in need of controversial topics for discussion.

It is interesting how people can so blindly decide that broken things should be destroyed. Repair often appears not to be an option, even for a long-term, wide-reaching effort like this, though we are all working on open-source software!

In this case there are an unknown number of less fortunate people in the world who are located behind some kinds of broken DNS infrastructure which discards 'AAAA' lookups. Of course 'AAAA' lookups are attempts to resolve a name to an IPv6 address, and the resolver in a 'modern' libc (i.e. one from the last five years or so :-) will try to retrieve an IPv6 address before it attempts to resolve a name as IPv4 with an 'A' lookup. That is how the standard is written, so if you want to comply with the standard you have to do it that way. Other things also interfere, but this element of the specified behaviour seems to cause the most annoying and pointless whingeing I have heard.

I suppose that the people who want working IPv6 make it so, and do not have problems with this behaviour. But it seems that people who are behind this kind of broken DNS either disable IPv6, or they have to whine about IPv6 being turned on by default, and can't we please all go back to the good old days. What's wrong with IPv4 anyway? Doesn't NAT solve all of it's problems? Are we sure this new (heh!) technology is safe?

Fortunately some people are so good at making their pain felt by other people that they can get other people to do their work for them. So Mithrandir has written a nice elegant patch for libc6 so that it won't do the IPv6 lookups unless you have a usable IPv6 configuration. I've filed bug #435646 against Debian to get this included, but Aurelian Jarno justifiably wants a few people to test it a bit harder... So I've taken the original patch and tweaked it to apply against current libc6 sources (2.6-5) and tested it for myself. It works as desired, as far as I can see, when comparing behaviour with an unpatched system. The patch is attached to the bug report, of course.

Perhaps some other people out there can put a wee bit of CPU into testing this for other environments so that we can make life easier for those people with no time / inclination to use IPv6, to ensure that they don't just disable it because it is making life too painful for them in it's current form?

How to build libc6 for fun and proft

If you have appropriate deb-src URLs configured, and are running Sid, then the following will let you build a local copy of libc6 with the patch. This is probably better testing than if I just make my packages available (which are only i386 in any case).


apt-get build-dep glibc
apt-get source glibc
cd glibc-2.6.1
debian/rules unpack
cd build-tree/glibc-2.6.1
wget -Oglibc-only-lookup-ipv6-if-it-makes-sense-debian.patch http://tinyurl.com/3xzm3o
patch -p1 <glibc-only-lookup-ipv6-if-it-makes-sense-debian.patch
cd -
dch --newversion 2.6.1-1+v6 "Apply IPv6 Resolver Sanity"
fakeroot debian/rules binary

Wait a few hours for it to build...

Install...

And then confirm that this only does 'AAAA' lookups if (when) you actually have a global or site scoped IPv6 address. When you only have a loopback or link local IPv6 address then you should only see 'A' record lookups.

Step 3: profit!

Whoops! I forgot the fun bit: please update the bug report :-)

What the patch does

In my opinion this is quite an elegant solution from Tolleff. He has picked a single characteristic of the IPv6 interfaces to further refine whether the IPv6 configuration of some interface is actually usable.

With IPv6 it is much more common to have multiple addresses assigned to a single interface. Interfaces are automatically configured with a link-local address which is not globally routable, and the loopback interface is also configured with the IPv6 equivalent of 127.0.0.1 (which is "::1").

To get a usable IPv6 setup you will also end up with a more widely usable address. In most cases this will be a global address, meaning that it is (in theory) globally routable from other people who also have global addresses, or you could have a "site" address, which is the IPv6 equivalent of RFC1918 addressing.

The patch considers that for the purposes of name resolution, it will be pointless to do AAAA lookups unless you have an address of the second kind. This means that people behind broken DNS won't be impacted unless the try and set up IPv6, and people who don't try and set up IPv6 won't get the 'hesitation' while their system attempts to resolve each address in IPv6 space first.

It will also mean that when people start to enable IPv6 around them, their setup will continue to work correctly.

Can someone running an

Can someone running an ad-hoc wireless network with local addresses still rely on multicast dns in /etc/nsswitch.conf, or does this turn off all lookups?

by Anoisymouse (not verified) at 2007-08-04 06:19  reply

I think I need more information...

That is an excellent question, and the sort of reason I posted this up here in the first place.

From my reading of http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt, which is presumably what you are talking about, Multicast DNS is intended to work fine without IPv6 present.

If you have some specific situation I could test then I will need some kind of idiot proof list of things to look for when I have (a) my patch installed, and (b) no global or site local IPv6 addresses, in order to confirm that it still all works.

If it doesn't work adequately in some way with only IPv4 functionality of multicast DNS, it would still work as soon as a site-local IPv6 address was assigned. This might not prove to be a problematic constraint, but I'm afraid I would have to understand multicast DNS a lot more than I do now.

Regards,
Andrew.

by andrew at 2007-08-04 12:04  reply

LAN = unusable?

So, local area networks are now considered "unusable"?
How fun it'll be to debug why DNS "doesn't work" when you set it up for link local ip-adresses.
Not all nodes needs to be (or even should be) globally reachable....

by Anoisymouse (not verified) at 2007-08-05 11:35  reply

Are you confusing link-local with site-local address?

A LAN should be using site-local addresses, rather than just link-local addreses.

These are the IPv6 equivalent to RFC1918 addresses like 192.168/16, 10/8 and so forth and this patch will activate the use of IPv6 AAAA lookups if such addresses are in use.

Regards,
Andrew.

by andrew at 2007-08-05 12:11  reply

Re: link-local

A LAN should be using site-local addresses, rather than just link-local addreses.

Oops, not quite right there, but I suspect you misspoke. Site local addresses have been deprecated. I suspect you meant to say Unique Local Addresses (ULA), which were defined to deal with some issues that site-local doesn't work with.

But just to agree with your statement, you should definitely not be using link-local addresses for anything but routing configuration. I typically just think of it as a behind-the-scenes address (Router and neighbour solicitation/advertisement messages use it).

by Nick 'Zaf' Clifford (not verified) at 2007-08-16 20:20  reply

Unique Local Addresses

Thanks for giving me the benefit of the doubt, and I guess by 'site-local' addresses I did only really meant "something locally routeable, but not globally routeable". "Site-local" addresses have, of course, been deprecated for very good reasons. In truth: they have been deprecated for just the sort of reasons that have caused the pain which many of us are familiar with through our RFC1918 experiences.

I guess it is true that Unique Local Addresses are better, but I'm not really sure that is saying much. If they can possibly be avoided then they should be avoided. I think we still need a more trustable DNS infrastructure to be able to consider IP addresses something irrelevant.

by andrew at 2007-08-16 21:43  reply

Force with environment

Wouldn't it be useful to force one behavior or another by using an environment variable.
If this patch is to be distributed to everybody, I'm sure there are valid cases where we want to only access to a local ipv6 dns. Such a variable could avoid corner cases.

by Anoisymouse (not verified) at 2008-04-14 09:37  reply

Corner Cases

Yeah... maybe :-)

In the end the patch wasn't accepted into Debian because of some corner case much as you say. I didn't push harder because it seems there are probably better ways of making sure IPv6 works for more people.

I continue to push for IPv6 support, and at Catalyst we now have three nameservers, mail server, LAN, IRC server, Proxy server, wireless LAN and various web servers all actively available and using IPv6.

Learning through doing does expose problems that I don't think you see or think about in testing, but the setup generally works well.

We've pretty much reached the stage where everything we run could be IPv6 enabled, and it's just a matter of steadily increasing our coverage while understanding and working round any issues.

Cheers,
Andrew McMillan.

by andrew at 2008-04-17 22:28  reply

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.
  

May 2008

March 2008

February 2008

January 2008

November 2007

October 2007

September 2007

August 2007

July 2007

June 2007