BlueAllyBlueAlly
Blog

IPv6 Deployment Series Part 10: DNS Records

Networking

RYAN HARRIS | Sr. Network Engineer 


This blog post is part of a series detailing the various parts of planning and deploying IPv6 for enterprise networks. It is meant as a primer for the network engineer or architect to understand the various concepts they may be unaware of when developing their IPv6 production design.    

If you have not read the previous posts, I would highly recommend that you start at the beginning:     

 

A vs AAAA 

The A or “address” record is the workhorse of DNS, it’s the primary record by which hosts on the internet translate a human readable domain name to an IP address. Since IPv6 addresses are four times larger than a 32-bit IPv4 address, this new record meant to translate domain names into IPv6 addresses is called an AAAA record. For those wondering, it’s generally verbally called “quad A.. 

AAAA records function identically to A records, just using a larger value field. 

Because DNS is often the very last bit of configuration to change prior to a website going live, I would caution you to test any web applications thoroughly before creating an AAAA record for your site. If you inadvertently create an AAAA record for a website that is not functioning correctly using an IPv6 connection, you may cause issues with IPv6-enabled clients. 

A great option for testing the operation of a website using IPv6 is to create an IPv6 specific record for your site, for example: ipv6.example.com. If there is no A record for that subdomain, it allows for testing without causing issues with production and without the possibility of confusing a working IPv4 only application and a non-working IPv6 application. 

Glue Records 

When you register a domain and configure your registrar to point to your hosted DNS servers for authoritative control of the domain, you create records called “glue records.. These glue records are how the TLD servers (.com, .net, .edu, etc.) can find the IP addresses of your name servers. 

For example, if I registered the domain “netcraftsmen.com,” I would need to register at least two name-servers for that domain. For example, I might create the records “ns1.netcraftsmen.com” and “ns2.netcraftsmen.com.. However, the TLD name servers do not know the IP addresses of these two name-servers. A glue record is created in your registrar’s portal that ties these name records to their public IP addresses so that proper name resolution can occur. 

When moving to IPv6, it’s important that your glue records include IPv6 addresses to ensure that IPv6-only name servers can properly resolve to your domains. If you are not hosting your own external DNS servers, check that your provider has proper IPv6 addresses configured for their name servers. 

MX Records 

Mail Exchange or MX records are used by email servers to identify where to send emails. MX records don’t return IP addresses directly, but rather return the domain name and priority of the mail server. These domain records are then recursively resolved using either A records or AAAA records. 

Be sure to test your mail servers for IPv6 connectivity and then create AAAA records for your mail-servers’ domain names. Once these AAAA records are created your domain should be available for receiving emails over IPv6. 

DNS64 

I wrote previously about DNS64 and when used in combination with NAT64 how it can provide connectivity to IPv4-only resources from an IPv6 only client. 

DNS64 servers will perform both an AAAA record lookup, or, in the case that no AAAA record exists, perform an A record lookup for the requested hostname. The server then masks the IPv4 address from the A record with either the well-known DNS64 prefix of 64:ff9b::/96 or a network specific mask and sends this to the client as an AAAA record. When the client connects to the IPv6 address returned from the DNS64 server, this traffic is then translated from IPv6 to IPv4 on the NAT64 gateway. 

If your organization runs their own internal DNS server, configuring DNS64 is generally straightforward. However, if your organization relies on DNS forwarders for DNS, Google as well as many other DNS providers offer DNS64 specific servers. 

The Google DNS64 addresses are 2001:4860:4860::6464 and 2001:4860:4860::64. You can learn more about their implementation here. 

 

Contact BlueAlly

Connect with BlueAlly today to learn more.