Yahoo proposes 'really ugly hack' to DNS
- 27 March, 2010 06:44
Network engineers from Yahoo are pitching what they admit is a "really ugly hack" to the Internet's Domain Name System, but they say it is necessary for the popular Web content provider to support IPv6, the long-anticipated upgrade to the Internet's main communications protocol.
Yahoo outlined its proposal for changes to DNS recursive name resolvers at a meeting of the Internet Engineering Task Force (IETF) held here this week.
Yahoo says it needs a major change to the DNS -- which matches IP addresses with corresponding domain names -- in order to provide IPv6 service without inadvertently cutting off access to hundreds of thousands of visitors. Under Yahoo's proposal, these visitors would continue accessing content via IPv4, the current version of the Internet Protocol.
The reason Yahoo is seeking this change to the DNS is that a significant percentage of Internet users have broken IPv6 connectivity. Web content providers say they need mechanisms to discover that a user's IPv6 connectivity is broken and to switch these users to IPv4 on the fly. Yahoo views DNS as the best place to make this switch.
"If you roll out IPv6, you will break 0.078% of users. That sounds negligible, but for Yahoo that's taking 470,000 users offline," says Igor Gashinsky, a senior network architect at Yahoo. Gashinsky presented Yahoo's DNS recursive name resolver proposal to the IETF's DNS Operations Working group.
Gashinsky says problems occur when "the user has a broken home gateway, or a broken firewall or his Web browser has a timeout that's between 21 and 186 seconds, which we consider to be broken. That's a lot of breakage, and that is a very big barrier for content providers to support IPv6."
Gashinsky says the estimate that 0.078% of users have broken IPv6 connectivity comes from Google, which has been aggressively moving its services to IPv6, including YouTube, Search, Mail and Maps.
Gashinsky adds that Yahoo is conducting its own analysis of broken IPv6 connectivity, which it will share with the Internet engineering community in June.
Yahoo has started IPv6 peering around the world with various ISPs, and a company spokesman says it will begin serving up Web pages to IPv6 users "as soon as possible."
"I should not be breaking any IPv4 user if I enable IPv6," Gashinsky says, explaining why he needs this change to the DNS.Yahoo's revelation that turning on IPv6 will result in hundreds of thousands of its visitors being unable to access its content is significant because the Internet engineering community is pressuring Web site operators to support IPv6.
John Curran, President and CEO of the American Registry for Internet Numbers, is warning Web site operators that they must enable IPv6 by Jan.1, 2012 or risk disenfranchising a significant number of their visitors.
Curran and others are sounding the alarm because the Internet is running out of IPv4 addresses. IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports a virtually unlimited number of devices.
Experts predict that the remaining IPv4 addresses will be distributed by 2012. In January, the Regional Internet Registries announced that fewer than 10% of IPv4 addresses remain unallocated.
When IPv4 addresses run out, carriers like Comcast are expected to dole out IPv6 addresses to new customers and new devices hooked up to their networks. Web sites must have IPv6 support in order to serve up content to these IPv6-only customers. IPv6 requires changes to the DNS because it uses single-A records for IPv4 queries and quad-A records for IPv6 queries.
Yahoo's worry is that some operating systems issue quad-A records by default, even if the user has broken IPv6 connectivity and needs single A records to access IPv4-based content. What Yahoo is proposing is a change to the DNS that would allow an ISP's DNS recursive servers to only return quad-A records for users that successfully connect via IPv6. Users that request quad-A records but access the ISP via IPv4 would be given single A records instead.
"The side effect -- the lost of trust -- is a big one," Gashinsky admits. "You would have recrusive servers knowingly modifying DNS authoritative records. Also, this effectively turns off IPv6 for operating systems that can only do DNS queries over IPv4.
Another side effect of this change to the DNS is that it disables DNS Security Extensions, a new security mechanism that is being deployed across the Internet to prevent hackers from re-directing traffic from a legitimate Web site to a fake one without the Web site operator or user knowing.
Gashinsky says this DNS change would allow Yahoo to enable IPv6 services while remaining reachable to users with broken IPv6 connectivity by redirecting them to IPv4 content. But Gashinsky is not happy with this solution. "This is a really ugly hack, but it may be necessary to get widespread IPv6 adoption," Gashinsky admits. "It sounds like it is something we have to do for this subset of IPv4 addresses that have As and quad-As and for this subset of IPv6 addresses that don't have quad-As.
"The Internet Systems Corp says it will offer the ability for ISPs to disable quad-A records as an option in its BIND DNS software. Other DNS vendors that are considering offering this capability include Secure64 and PowerDNS.Yahoo is proposing this change to DNS recursive servers in addition to another proposal to create a DNS Whitelist for IPv6.
The whitelist would be used by content providers to pass quad-A records upstream to ISPs only if the user's DNS resolver is in the whitelist and has proven IPv6 connectivity.
"I think this is better than whitelisting because the control is back in with the service provider who can do something about it versus the content provider having a giant white list," says Alain Durand, Director of IPv6 Architecture and Internet Governance at Comcast.
"The question is whether the price is worth it. We can't really answer that question until we have better, solid data about how many connections are actually broken. It's probably better to just fix those home gateways that are broken and then the problem is solved."