[AusNOG] IPv6 and DNS

Mark Andrews marka at isc.org
Mon Aug 18 11:35:49 AEST 2025 

The IETF is currently updating the requirements for IPv6 support with respect
to the DNS (https://datatracker.ietf.org/doc/draft-ietf-dnsop-3901bis/04/).

Basically the new requirements are that every zone is required to have both
an IPv4 and and IPv6 servers to be compliant.  RFC 3901 only required IPv4
servers.  It all points out some common configuration errors that happen
when trying to do this like missing glue, delegation NS records only being
in one family, etc.

I happened to be looking at the nameservers for optusnet.com.au because they
where not accepting TCP queries as is required by RFC 7766 and noticed that
this zone provides a perfect example of the things that can go wrong if you
don’t take care.  The zone has nameservers that support both IPv4 and IPv6 but
the delegating nameservers only support IPv4.  The Akamai servers are all dual
stacked.  This could fixed by adding the Akamai servers to the delegation.
This would also remove the single point of failure at the DNS level where all
the servers are behind the same AS.  The Akamai servers also accept TCP connections
so the zone would be resolvable if the clients needs to protect itself from
spoofing attacks as ns1.optusnet.com.au and ns2.optusnet.com.au don’t have DNS
COOKIE enabled.

This was not to pick on Optus.  I’m sure I could find other .AU zones that are
equally poorly managed.

Mark

% dig ns optusnet.com.au @a.au
;; BADCOOKIE, retrying.

; <<>> DiG 9.21.3-dev <<>> ns optusnet.com.au @a.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12659
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e366cdde819deb8b0100000068a280b6444cb1752c17d62a (good)
;; QUESTION SECTION:
;optusnet.com.au. IN NS

;; AUTHORITY SECTION:
optusnet.com.au. 3600 IN NS ns1.optusnet.com.au.
optusnet.com.au. 3600 IN NS ns2.optusnet.com.au.

;; ADDITIONAL SECTION:
ns2.optusnet.com.au. 3600 IN A 203.2.75.12
ns1.optusnet.com.au. 3600 IN A 203.2.75.2

;; Query time: 33 msec
;; SERVER: 58.65.254.1#53(a.au) (UDP)
;; WHEN: Mon Aug 18 11:24:06 AEST 2025
;; MSG SIZE  rcvd: 140

% dig ns optusnet.com.au @203.2.75.2

; <<>> DiG 9.21.3-dev <<>> ns optusnet.com.au @203.2.75.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62297
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;optusnet.com.au. IN NS

;; ANSWER SECTION:
optusnet.com.au. 86400 IN NS a9-67.akam.net.
optusnet.com.au. 86400 IN NS ns1.optusnet.com.au.
optusnet.com.au. 86400 IN NS ns2.optusnet.com.au.
optusnet.com.au. 86400 IN NS a1-70.akam.net.
optusnet.com.au. 86400 IN NS a11-65.akam.net.
optusnet.com.au. 86400 IN NS a2-65.akam.net.
optusnet.com.au. 86400 IN NS a24-66.akam.net.
optusnet.com.au. 86400 IN NS a26-66.akam.net.

;; Query time: 24 msec
;; SERVER: 203.2.75.2#53(203.2.75.2) (UDP)
;; WHEN: Mon Aug 18 11:26:26 AEST 2025
;; MSG SIZE  rcvd: 211

% 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the AusNOG mailing list