IETF Logo Mail Archive

Re: [DNSOP] Why would a v4 client send AAAA query?

Mark Andrews <marka@isc.org> Thu, 29 August 2019 11:35 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1C3120090 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 04:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.655
X-Spam-Level:
X-Spam-Status: No, score=-5.655 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtgfsECgTz6t for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 04:35:47 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2892120025 for <dnsop@ietf.org>; Thu, 29 Aug 2019 04:35:47 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1381B3AB000; Thu, 29 Aug 2019 11:35:46 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 0991D160051; Thu, 29 Aug 2019 11:35:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E343B16008D; Thu, 29 Aug 2019 11:35:45 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bFw-GD_sQZPh; Thu, 29 Aug 2019 11:35:45 +0000 (UTC)
Received: from [192.168.0.17] (c220-239-100-123.belrs4.nsw.optusnet.com.au [220.239.100.123]) by zmx1.isc.org (Postfix) with ESMTPSA id 422A7160051; Thu, 29 Aug 2019 11:35:45 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-6B226B7B-0FCE-4A4B-A260-C6AEC860A293"
Mime-Version: 1.0 (1.0)
From: Mark Andrews <marka@isc.org>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <CANFmOt=_DqDNziVQh=5bF7yC-6DwPFPMYTz7kud7EwjsEFdY5Q@mail.gmail.com>
Date: Thu, 29 Aug 2019 21:35:40 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <70317E5C-4FBD-47B4-9C14-A9A22E671578@isc.org>
References: <CANFmOtkrB=Z6HNyJ7SFinMAHJEgOB=J0KQnKxYqy_7kPYPbumg@mail.gmail.com> <20190829063910.GB90696@straasha.imrryr.org> <CANFmOt=_DqDNziVQh=5bF7yC-6DwPFPMYTz7kud7EwjsEFdY5Q@mail.gmail.com>
To: Naveen Kottapalli <naveen.sarma@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jzbsR9hMuIM7CiSuCx8JVb1886c>
Subject: Re: [DNSOP] Why would a v4 client send AAAA query?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 11:35:50 -0000

Firstly most machines these days have at least one dual stack interface if not many even if the uplink is IPv4 only. Until the address is resolved they don’t know if the AAAA is usable (reachable) or not. 


-- 
Mark Andrews

> On 29 Aug 2019, at 19:43, Naveen Kottapalli <naveen.sarma@gmail.com> wrote:
> 
> My query was about the behavior we observed on a gateway where a pure v4 subscriber (not dual-stack) has sent both A and AAAA query for the same domain simultaneously.  Just wanted to know why would a pure v4 subscriber which cannot use the resolved AAAA domain addresses is trying to resolve the v6 addresses of the domain.
> 
> Yours,
> Naveen.
> 
> 
>> On Thu, 29 Aug 2019 at 12:09, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>> On Wed, Aug 28, 2019 at 05:53:26AM +0530, Naveen Kottapalli wrote:
>> 
>> > Can one of you tell why would a v4 client send AAAA query or a by client
>> > send a A query when the resolved address cannot be used?
>> 
>> One answer I did not see, but seems to me to be the most likely,
>> is that the library interface used by the application to learn the
>> peer's addresses asks for and returns all the v4 and v6 addresses,
>> and then the application tries each address in turn, until one
>> succeeds, the library is address-family agnostic.
>> 
>> Often the address resolution is many layers down below the actual
>> application code, e.g. in an HTTP request library that uses a
>> connection pool, that, as needed, establishes connections in a
>> generic way, by using getaddrinfo(3) with AF_UNSPEC as the address
>> family.  The library code many layers down below the application
>> code making an HTTP request, has no prior knowledge that on this
>> particular system IPv6 may not be available.  It just tries the
>> returned addresses in order until one works.
>> 
>> My system has IPv6, but only via a GRE tunnel to Hurricane Electric
>> (many thanks to HE for the pretty good free service) and IPv6
>> performance is consequently not nearly as good as IPv4.  So I've
>> configured my (FreeBSD) system to prefer IPv4:
>> 
>>     $ cat /etc/ip6addrctl.conf
>>     # Prefer IPv4
>>     ::ffff:0.0.0.0/96                100     4
>>     ...
>> 
>>     $ grep -i addrctl /etc/rc.conf
>>     ip6addrctl_enable="YES"
>>     ip6addrctl_policy="AUTO"
>> 
>> With that, getaddrinfo(3) returns the IPv4 addresses first, and I
>> only use IPv6 when none of the IPv4 addresses work, or the application
>> chooses to also use the IPv6 addresses (e.g. the DANE survey code
>> checks the validity of the certificate chain at every address of
>> each MX host).
>> 
>> For example (python):
>> 
>>     from socket import getaddrinfo, SOCK_STREAM
>>     for ai in getaddrinfo('www.ietf.org', 'https', type=SOCK_STREAM):
>>         print(ai)
>> 
>> outputs:
>> 
>>     (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('104.20.1.85', 443))
>>     (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('104.20.0.85', 443))
>>     (<AddressFamily.AF_INET6: 28>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2606:4700:10::6814:55', 443, 0, 0))
>>     (<AddressFamily.AF_INET6: 28>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2606:4700:10::6814:155', 443, 0, 0))
>> 
>> If I use python's HTTP client code to fetch content from:
>> 
>>     https://www.ietf.org/...
>> 
>> code similar to the above will look up both the IPv4 and IPv6
>> addresses, and then, if all goes well, use just the first one to
>> make an IPv4 TCP connection to www.ietf.org (port 443), perform a
>> TLS handshake, ... 
>> 
>> So the AAAA lookup is only used for IPv6-only sites, but that's the
>> cost of all the layering and abstraction of address order preference,
>> .....  An efficient implementation of getaddrinfo() can do the A and
>> AAAA lookups concurrently.
>> 
>> -- 
>>         Viktor.
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email