Internet-Draft IPv6 only Resolver March 2023
Yamamoto & Toyota Expires 10 September 2023 [Page]
Workgroup:
v6ops
Internet-Draft:
draft-momoka-v6ops-ipv6-only-resolver-01
Published:
Intended Status:
Informational
Expires:
Authors:
山本 桃歌 (M. Yamamoto)
The University of Tokyo/WIDE Project
豊田 安信 (Y. Toyota)
Keio University/WIDE Project

IPv6 only capable resolver utilising NAT64

Abstract

By performing IPv4 to IPv6 translation, IPv6-only iterative resolvers can operate in an IPv6-only environment. When a specific DNS zone is only served by an IPv4-only authoritative server, the iterative resolver will translate the IPv4 address to IPv6 to access the authoritative server's IPv4 address via stateful NAT64. This mechanism allows IPv6-only iterative resolvers to initiate communications to IPv4-only authoritative servers.

Discussion Venues

This note is to be removed before publishing as an RFC.

Discussion of this document takes place on the IPv6 Operations Working Group mailing list (v6ops@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/v6ops/.

Source for this draft and an issue tracker can be found at https://github.com/momoka0122y/draft-momoka-ipv6-only-resolver.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 10 September 2023.

Table of Contents

1. Introduction

This document describes how an IPv6-only iterative resolver can use stateful NAT64 [NAT64] to connect to an IPv4-only authoritative server by performing IPv4 to IPv6 translation [RFC6052] when sending a query. When a specific DNS zone is only served by an IPv4-only authoritative server (which has only an A record), an IPv6-only iterative resolver cannot resolve that zone due to having no access to an IPv4 network. However, by performing IPv4 to IPv6 translation and utilizing the stateful NAT64, accessing an IPv4-only authoritative server will be possible.

2. Terminology

3. Motivation and Problem Solved

An iterative resolver is one of the applications that require IPv4 connectivity. As stated in BCP91 [RFC3901], “every recursive name server SHOULD be either IPv4-only or dual stack.” This is because some authoritative servers do not support IPv6. As of 2023, even some of the most frequently queried authoritative servers cannot be accessed via IPv6. Without the utilization of NAT64, IPv6-only resolvers need to forward queries to a dual-stack recursive name server performing the iterative queries.

The current situation where an iterative resolver cannot operate without IPv4 reachability may hinder the operation of a network's own iterative resolver in an IPv6-only network. Therefore, this document describes how iterative resolvers can be used without issues in IPv6-only networks by utilizing NAT64.

The NAT64/DNS64 mechanism enables IPv6-only clients in a network to communicate with remote IPv4-only nodes. However, using literal IPv4 addresses instead of DNS names will fail (unless 464XLAT [RFC6877] is used). An iterative resolver cannot use the DNS64 because it is a service that uses literal IP addresses. This problem can be solved by the iterative resolver converting IPv4 addresses to IPv6 by adding the Pref64::/n prefix, and thus the IPv6 packet conveying the query is directed to a stateful NAT64 gateway that converts the IPv6 packet to an IPv4 packet. With this implementation, an iterative resolver can be operated even inside an IPv6-only network.

3.1. Deployment Scenarios and Examples

The deployment of IPv6-only networks is in progress, as demonstrated by [draft-xie-v6ops-framework-md-ipv6only-underlay]. By operating an IPv6-only network and limiting IPv4 reachability to NAT64 devices, operators can reduce IPv4 usage and concentrate on IPv6 operations, which is generally believed to lower operational costs and optimize operations compared to a dual-stack environment.

In examples of past RFCs, name resolvers have always had an IPv4 address. For example, all three use cases for DNS64 in RFC 6147 are dual-stack name servers.

            +---------------------+         +---------------+
            |IPv6 network         |         |    IPv4       |
            |              +-------------+  |  Internet     |
            |           |--| Name server |--|               |
            |           |  | with DNS64  |  |  +----+       |
            |  +----+   |  +-------------+  |  | H2 |       |
            |  | H1 |---|         |         |  +----+       |
            |  +----+   |   +------------+  |  192.0.2.1    |
            |           |---| IPv6/IPv4  |--|               |
            |           |   | Translator |  |               |
            |           |   +------------+  |               |
            |           |         |         |               |
            +---------------------+         +---------------+
Figure 1: Example network setup of the use of DNS64 described in RFC6147 Section7.1 
            +---------------------+         +---------------+
            |IPv6 network         |         |    IPv4       |
            |                 +--------+    |  Internet     |
            |           |-----| Name   |----|               |
            | +-----+   |     | server |    |  +----+       |
            | | H1  |   |     +--------+    |  | H2 |       |
            | |with |---|         |         |  +----+       |
            | |DNS64|   |   +------------+  |  192.0.2.1    |
            | +----+    |---| IPv6/IPv4  |--|               |
            |           |   | Translator |  |               |
            |           |   +------------+  |               |
            |           |         |         |               |
            +---------------------+         +---------------+
Figure 2: Example network setup of the use of DNS64 described in RFC6147 Section7.2

However, it is necessary to consider the existence of an IPv6 single-stack full-service resolver. In this document we consider an IPv6-only network where the iterative resolver is inside the IPv6-only network and does not have an IPv4 address. This is to restrict IPv4 management to the NAT64 device.

      +--------------------------+         +----------------------+
      | IPv6 network             |         |    IPv4              |
      |                          |         |  Internet            |
      |                |         |         |                      |
      | +----------+   |         |         |  +--------------+    |
      | |IPv6-only |   |         |         |  |Authoritative |    |
      | |Iterative |   |         |         |  |server        |    |
      | |resolver  |---|   +------------+  |  +--------------+    |
      | +----------+   |---| IPv6/IPv4  |--|  192.0.2.1           |
      |                |   | Translator |  |                      |
      |                    +------------+  |                      |
      |                          |         |                      |
      +--------------------------+         +----------------------+
Figure 3: Network example referenced in this document with an IPv6-only iterative resolver

4. Solution with existing protocols

This section provides the mechanism of an IPv6-only capable resolver utilizing stateful NAT64. We will assume we have one or more IPv6/IPv4 translator boxes [NAT64] connecting an IPv6 network to an IPv4 network. The stateful NAT64 device provides translation service and bridges the two networks, allowing communication between IPv6-only hosts and IPv4-only hosts. The IPv6-only capable resolver proposed in this document performs the IPv4 to IPv6 synthesis for the resolver to communicate with IPv4 servers via stateful NAT64. By using stateful NAT64, this IPv6-only iterative resolver can be considered dual stack in the sense of BCP91 [RFC3901].

4.1. Finding an Authoritative server with only IPv4 addresses

Before the iterative resolver sends queries to start a resolution, it may sort the SLIST data structure described in [RFC1034] to use the authoritative servers with IPv6 addresses first, and use servers with only an IPv4 address later. If the resolver finds only an A record for an authoritative server, the resolver should perform address synthesis to the IPv4 address of the authoritative server, converting IPv4 addresses to IPv6 by adding the prefix Pref64::/n, so that the IPv6 packet carrying the query is routed to a stateful NAT64 gateway, which converts the IPv6 packet to an IPv4 packet. It is not recommended to synthesise an IPv4 address of an authoritative server if it also has an IPv6 address.

4.2. Generation of the IPv6 Representations of IPv4 Addresses

4.2.1. Obtaining the Pref64::/n of the stateful NAT64

The iterative resolver can obtain the Pref64::/n used by the network's stateful NAT64 either by static configuration or by using discovery mechanisms. Static configuration may be the most likely scenario, as the iterative resolver server may also serve as a DNS64 server.

The Port Control Protocol [RFC7225] or Router Advertisements [RFC8781] are two options available to the resolver if it wishes to use a discovery mechanism to find the Pref64::/n. Using the mechanisms described in [RFC7050] or [draft-hunek-v6ops-nat64-srv] may not work because they require a resolver to work.

4.2.2. Performing the Synthesis

The address translation can be performed by following Section 2.3 of [RFC6052]. After the synthesis is done, the IPv6-only iterative resolver can send a query to the converted IPv6 address.

4.3. Use of the iterative resolver as DNS64

As the iterative resolver is used within an IPv6-only network, the server can also perform as DNS64 [DNS64] when an AAAA record is queried from a STUB resolver but the domain only has an A record.

5. Deployment Notes

TODO

6. Security Considerations

This algorithm does not change any part of the DNS message, just the packet type from IPv4 to IPv6 and the destination IP address from an IPv4 address to the synthesised IPv6 address, so there should be no problems with DNSSEC.

7. IANA Considerations

This document has no IANA actions.

8. Implementation Status

BIND has a WIP branch.

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6334/commits

Unbound has a PR from a contributor.

https://github.com/NLnetLabs/unbound/issues/721

9. References

9.1. Normative References

[DNS64]
Bagnulo, M., Sullivan, A., Matthews, P., and I. van Beijnum, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", RFC 6147, DOI 10.17487/RFC6147, , <https://www.rfc-editor.org/rfc/rfc6147>.
[NAT64]
Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, , <https://www.rfc-editor.org/rfc/rfc6146>.
[RFC3901]
Durand, A. and J. Ihren, "DNS IPv6 Transport Operational Guidelines", BCP 91, RFC 3901, DOI 10.17487/RFC3901, , <https://www.rfc-editor.org/rfc/rfc3901>.
[RFC6052]
Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, DOI 10.17487/RFC6052, , <https://www.rfc-editor.org/rfc/rfc6052>.

9.2. Informative References

[draft-hunek-v6ops-nat64-srv]
Huněk, M., "NAT64/DNS64 detection via SRV Records", Work in Progress, Internet-Draft, draft-hunek-v6ops-nat64-srv-04, , <https://datatracker.ietf.org/doc/html/draft-hunek-v6ops-nat64-srv-04>.
[draft-xie-v6ops-framework-md-ipv6only-underlay]
Xie, C., Ma, C., Li, X., Mishra, G. S., Boucadair, M., and T. Graf, "Framework of Multi-domain IPv6-only Underlay Networks and IPv4 as a Service", Work in Progress, Internet-Draft, draft-xie-v6ops-framework-md-ipv6only-underlay-05, , <https://datatracker.ietf.org/doc/html/draft-xie-v6ops-framework-md-ipv6only-underlay-05>.
[ietf-v6ops-ipv6-deployment]
Fioccola, G., Volpato, P., Martinez, J. P., Mishra, G. S., and C. Xie, "IPv6 Deployment Status", Work in Progress, Internet-Draft, draft-ietf-v6ops-ipv6-deployment-10, , <https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-ipv6-deployment-10>.
[RFC1034]
Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, , <https://www.rfc-editor.org/rfc/rfc1034>.
[RFC6877]
Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: Combination of Stateful and Stateless Translation", RFC 6877, DOI 10.17487/RFC6877, , <https://www.rfc-editor.org/rfc/rfc6877>.
[RFC7050]
Savolainen, T., Korhonen, J., and D. Wing, "Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis", RFC 7050, DOI 10.17487/RFC7050, , <https://www.rfc-editor.org/rfc/rfc7050>.
[RFC7225]
Boucadair, M., "Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)", RFC 7225, DOI 10.17487/RFC7225, , <https://www.rfc-editor.org/rfc/rfc7225>.
[RFC8781]
Colitti, L. and J. Linkova, "Discovering PREF64 in Router Advertisements", RFC 8781, DOI 10.17487/RFC8781, , <https://www.rfc-editor.org/rfc/rfc8781>.

Acknowledgments

TODO: acknowledge people.

Thank you for reading this draft.

Authors' Addresses

Momoka Yamamoto
The University of Tokyo/WIDE Project
Additional contact information:
山本 桃歌
The University of Tokyo/WIDE Project
Yasunobu Toyota
Keio University/WIDE Project
Additional contact information:
豊田 安信
Keio University/WIDE Project