No IPv6 & DNSSEC support on cc-TLD? (practical implications)

ipv4 domain-name-system ipv6 tld dnssec

I'm needing to register some domains that have country code domain extensions, but noticed that those TLDs do not officially support (A) IPv6 or (B) DNSSEC... What limitations or pitfalls should I expect to run into because of this?

(A) No IPv6 support for TLD

I know this means that I won't be able to add an AAAA record to the domain, but what does this mean for reachability/compatibility/visibility from other IPv6-capable DNS servers?

(B) No DNSSEC support for TLD

I understand that DNSSEC is somehow important for authenticating DNS resolving, but have no idea if/how its implementation (or lack thereof) affects me as an application developer when it comes to security.

NOTE: Please forgive this potentially rudimentary question from a spoiled LAMP, MEAN, front-end, and native mobile dev who's rarely had to make network architecture decisions pivoting around the above. Thanks in advance!


Solution 1:

If the ccTLD does not have IPv6 addresses for its name servers, an IPv6-only user may not be able to resolve any names under that TLD, even if those names are in IPv6-competent zones. Resolving follows a chain down from root, and if one link doesn't work, the entire thing fails.

DNSSEC provides cryptographic authentication of DNS data. Like everything in DNS, it follows the normal tree starting at the root zone. And again, if one link doesn't work, the entire chain fails. So any names under a ccTLD that doesn't do DNSSEC will be vulnerable to spoofing (note: there is a technique for side-stepping the chain in this case, called DLV. It is, however, deprecated and ICANN's support for it will end in 2017).

I would consider using a better TLD :-)

Solution 2:

AAAA records can be delivered by both IPv4 and IPv6 resolvers. You can add IPv6 addresses to your domain and they will be delivered. People with IPv6 only resolvers (which I believe would be relatively rare) won't be able to resolve your domain in any case.

The standard work-around for DNSSEC is to use DLV (DNSSEC Lookaside Validation). This has been used for a long time and has been the only way to validate a number of TLDs for a long time. As TLD providers add DNSSEC support the requirement DLV disappears for those TLDs.

Overall uptake on both IPv6 and DNSSEC has been very slow. Where I am, I still require an IPv4 tunnel to get IPv6 connectivity.

Solution 3:

If the TLD doesn't support AAAA records for the nameserver addresses that doesn't mean you can't have AAAA records for your underlying services, it just means that people won't be able to use IPv6 for the DNS protocol itself to lookup your service addresses.

It's a perfectly normal configuration (see BCP 91 aka RFC 3901) to only have IPv4-only nameservers listed with the domain registry, with those nameservers publishing AAAA records for entries within your domain. At this point that won't break anything - an IPv6-only connection (without NAT64) is pretty much unusable.

For DNSSEC, most ccTLDs already support it, and of those that don't many have plans to do so or are already in mid-implementation, albeit with Africa being the main area of concern. The latest ISOC map from a couple of days ago shows this:

enter image description here

Related

Why do people use 172.x.x.x instead of 192.x.x.x [closed]
Is it safe to allow inbound 0.0.0.0/0 on EC2 security group?
AWS RDS MySQL Slowing down over time
Internet is a series of tubes? [closed]
Pros/Cons of switching from Exchange to GMail
How can I open a file whose name starts with "-"?
When a startup should hire a sys admin?
lots of dns requests from China, should I worry?
Lowercase variable values in a Puppet template
MTU on server accidentally set to 0, can't ssh into it?
Is mv with wildcard still atomic
Which linux version to install: i386 or x64?