Recently in dns Category

Last week, the I root DNS server turned on IPv6. Currently, it's only enabled at the Stockholm node.

Here's a Google Map showing locations of IPv6-enable DNS root servers. Global nodes are in red; local nodes in blue:

View Larger Map

Almost all of the DNS roots now have at least some of their nodes IPv6-enabled. Unfortunately, they see very little traffic over IPv6. The H root, for example, sees only about 3% of their traffic over IPv6. This is an improvement over 2008, but it's still depressing.

.org gets to 100%

| | Comments (3) | TrackBacks (0)

Yesterday, the .org domain had a milestone: 100% of their namservers are IPv6-enabled. For several months, they had 80-some percent of their servers done, but last night, they v6-enabled the last one. .org is part of a small club of domains which have v6-enabled all of their nameservers:

  • .am (Armenia)
  • .asia
  • .bz (Belize)
  • .gi (Gibraltar)
  • .hn (Honduras)
  • .info
  • .lr (Liberia)
  • .mobi
  • .org
  • .tz (Tanzania)
  • .vc (Saint Vincent and the Grenadines)

These domains are well ahead of the other popular domains. Verisign publishes a quarterly report on the domain name registration business. Here are the most popular domains from their December 2008 report:

How do they stack up for IPv6 support?

Domain Percentage of nameservers with IPv6 glue
.de (Germany)33%
.uk (United Kingdom)36%
.cn (China)33%
.eu (European Union)20%

What about the "Other ccTLD" area? According to the report, here are the top ten ccTLDs (Country Code top-level domain):

Rank Domain Percentage of nameservers with IPv6 glue (China)33% (Germany)33% (United Kingdom)36% (Netherlands)57% (European Union)20% (Argentina)13% (Italy)40% (Brazil)33% (United States)50% (Australia)50%

So, there's been some good progress, but there's a lot more to do. I expect to see many more domains get to 100% in 2009. I have automated scripts that check these statistics nightly, and there's been good progress during the year. Perhaps I'll post a more detailed entry in the future.

.edu gets IPv6 glue!

| | Comments (0) | TrackBacks (0)

Last night, the .edu domain got IPv6 glue in the DNS root. I'm thrilled beyond words at this.

Most top-level domains (e.g. .com, .org, .uk) already have IPv6 glue. I'm glad Educause made this step. It's been a long-time coming.

Educause operates .edu under contract from the US Department of Commerce. In turn, they sub-contract the day-to-day operation to Verisign, which also runs the .com and .net root servers. From what I understand, Verisign is migrating .edu over to the .com and .net cluster, which will give .edu IPv6 support.

Educause has allowed subdomains to register IPv6 glue for a while ( has had IPv6 glue for at least year). The DNS root got IPv6 support earlier this year. But .edu was always this big v4-only gap in DNS. I'm really happy that it's being fixed.

$ dig -t NS edu.

; <<>> DiG 9.4.2-P2 <<>> -t NS edu.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17220
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 9

;edu. IN NS

edu. 144225 IN NS G3.NSTLD.COM.
edu. 144225 IN NS H3.NSTLD.COM.
edu. 144225 IN NS L3.NSTLD.COM.
edu. 144225 IN NS M3.NSTLD.COM.

A.GTLD-SERVERS.NET. 172700 IN AAAA 2001:503:a83e::2:30
M3.NSTLD.COM. 172700 IN A

;; Query time: 21 msec
;; SERVER: 2610:8:6800:1::4#53(2610:8:6800:1::4)
;; WHEN: Thu Nov 20 10:07:57 2008
;; MSG SIZE rcvd: 334

I just got back from the Summer 2008 Internet2 Joint Techs Workshop in Nebraska. There was a heavy focus on IPv6 at the workshop. The IPv6 Working Group announced its IPv6 Challenge. This is a challenge to Internet2 members to IPv6-enable several aspects of their networks. Joe Nasal from TNS participated in a very interesting panel discussion on campus IPv6 addressing plans (video here). Both Penn State and Stanford were on the panel. We both have a /32 from ARIN, but we've chosen to use them in very different ways. I found that rather interesting. As usual, DREN gave a useful update on their IPv6 deployment in the Department of Defense.

I gave a lightening talk on a quick way to IPv6-enable lot of DNS servers (slides here). Essentially, there is a "clustering" effect in DNS, where one server will provide authoritative DNS for three or four other domains. For example, UC Berkeley provides DNS for Columbia, UC San Francisco and UCLA. So v6-enabling that one server provides considerable extra benefit. If you map out these "clusters" in DNS, you get a list of the most beneficial servers to target. It turns out that by v6-enabling 11 extra servers, you would give 31 domains v6-reachable DNS. Put another way, that's 15% of Internet2 members, but requires upgrading only 1.5% of its nameservers.

In non-IPv6 news, there was a good DNSSEC talk from NIST. This was especially interesting in light of the recent Kaminsky DNS attack. Suffice it to say, there are still a fair number of hurdles to integrating DNSSEC.

A week-and-a-half ago, I commented that 10% of Internet2 schools had IPv6-reachable DNS. It's time to add one more: Georgetown. And, unlike many schools, Georgetown isn't piggybacking on someone else's DNS server.

For those of you keeping count, here's the updated list:

IPv6-reachable DNS in Internet2
  • Columbia University
  • Georgia Institute of Technology
  • Georgetown University
  • Indiana University
  • Internet2
  • Ohio University
  • Pennsylvania State University
  • Portland State University
  • Princeton University
  • University of California, Berkeley
  • University of California, Los Angeles
  • University of California, San Diego
  • University of California, San Francisco
  • University of Delaware
  • University of Illinois, Urbana-Champagne
  • University of Iowa
  • University of Notre Dame
  • University of Oregon
  • University of Pennsylvania
  • University of Rhode Island
  • University of South Florida
  • Virginia Tech
  • Wichita State University
  • Worcester Polytechnic Institute

The Flag of the European UnionThe DNS domains for Denmark (.dk) and St. Kitts and Nevis (.kn) recently got IPv6-reachable servers. This means that every member of the European Union has IPv6-reachable DNS. Further, the Eurpoean Union itself (.eu) and all candidate countries have IPv6-DNS. I'm impressed.

For the past few months, I've been keeping track of how many .edu domains have IPv6-reachable authoritative DNS. So far the results have been less than exciting: Less than 10% of Internet2 University Members had taken the plunge.

That's changed. We're now over the 10% threshold. Four more universities have IPv6 DNS:

  • Columbia University
  • University of California, Los Angeles
  • University of California, San Francisco
  • Virginia Tech

This means that 22 of the 212 Internet2 University members (or 10.4%) have IPv6-reachable DNS. Six months ago, that number was 5%. Doubling that in a few months makes me hopeful. I'm having a beer to celebrate.

I've noticed a clustering of .edu DNS. Typically one institution will provide DNS for many others. For example, UC Berkeley v6-enabled one of their DNS servers ( That box also provides DNS for Columbia, UCLA and UC San Francisco. Likewise, the University of Orgeon provides IPv6 DNS for Portland State and Internet2. And Indiana University also provides for UIUC and U. Rhode Island. There are many more examples.

These clusters are both good and bad. They're good because they provide "easy targets" for IPv6 -- by IPv6 enabling a handful of machines, you provide maximum coverage. They're bad because, often, they're the only IPv6-enabled server for a domain -- if one server at Berkeley goes down, three other universities effectively drop off the IPv6 Internet.

But I'm still taking this as a win.

A few weeks ago, RIPE NCC, the "European" RIR, added a few more IPv6-enabled K root servers. As you may recall, back in February, IANA enabled IPv6 glue in the DNS root. With RIPE NCC's recent additions, there are now at least 33 IPv6-enabled root servers (out of 150 total servers). I say at least because I don't have any information on which J root servers have IPv6.

Here's a handy Google Map widget showing their locations:

View Larger Map

I was surprised to see so many servers in North America, since that region tends to lag behind Europe and Asia for IPv6 deployment. In fact, the Asia/Pacific region has the fewest number of IPv6 servers of any RIR:

AfriNIC0 %
ARIN42 %

While it's good to see more IPv6-enabled servers, the more important issue is increasing IPv6 traffic to the root. Just after the IPv6 glue was added to the root, the K root saw an almost five-fold increase in IPv6 traffic. However, this still only works out to 1.2% of its queries over IPv6:

IPv6 traffic at the K root just after adoption

The H root has similar results. While the number of IPv6 queries has steadily increased since February, 2008, it still receives less than 1% of its queries over IPv6:

Yearly IPv6 traffic at the H root

The M root saw the same thing: Only 1% of their queries are over IPv6:

IPv6 traffic at the M root

At RIPE-56, Geoff Huston gave a presentation comparing IPv4 -vs- IPv6 queries in APNIC's root servers. He found that IPv6 queries peaked at 1% of the total number of queries. Likewise, at the 2008 Global IPv6 Summit in Korea, it was revealed that Japan's authoritative servers get at best 1.4% of their queries over IPv6. And Japan was one of the first countries to add AAAA glue.

Comparatively speaking, there are only a handful of DNS servers on the Internet. It's fairly easy to get them IPv6-enabled. It will be a much harder task to IPv6-enable the billion+ PCs on the Internet (which is expected to double by 2014). And that number doesn't include non-PC devices, which make up an increasingly large number of network-attached devices. It's time to get to work, folks.

A few months ago, Internet2 made one of their DNS servers reachable over IPv6. Their other DNS server ( was still IPv4-only. That's now changed.

All of the authoritative name servers for are now reachable over IPv6. This has been a long time coming, and it's great to see it done:

$ dig -t NS

; <<>> DiG 9.2.4 <<>> -t NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1475
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 6


;; ANSWER SECTION: 3913 IN NS 3913 IN NS 3913 IN NS

;; ADDITIONAL SECTION: 7138 IN A 7155 IN AAAA 2001:468:1420::59 7143 IN A 7151 IN AAAA 2001:468:c07:1::250 61905 IN A 61905 IN AAAA 2001:468:d01:20::80df:2023

;; Query time: 1 msec
;; SERVER: 2610:8:6800:1::4#53(2610:8:6800:1::4)
;; WHEN: Fri Jun 13 10:51:53 2008
;; MSG SIZE rcvd: 229

I mentioned recently that I gave an IPv6 poster session at the Penn State WebConference. I've put the poster and handout online. I spoke to a couple of interesting people at the conference, and learned a lot about the web infrastructure at the University (there are more IIS and ColdFusion shops that I realized. Fortunately, both supports IPv6.)

In DNS news, the .dk (Denmark) and .nk (Saint Kitts and Nevis) top-level-domains are now reachable via IPv6. This brings the total to 190 of 269 TLDs that are reachable over IPv6.