Ease your transition to IPv6 DNS

BY Rebekah Taylor

The transition to IPv6 DNS can be easier

Let’s be honest: The prospect of having to move to IPv6 DNS may seem daunting.

Like most enterprises, you’re probably trying to remain IPv4 only as long as possible. Why fix what isn’t broken? Leave it for your kids to handle someday.

But if the corporate call comes to jump off the cliff and transition, BlueCat’s platform is at the ready to help cushion your landing.

In this post, we’ll provide a primer on IPv4 and IPv6, and look at why there’s some resistance to the move. Then we’ll delve into how BlueCat tools can help ease the transition.

The basics: IPv4, IPv6, DNS, and all the rest

Let’s get some basic terminology out of the way first. IP, which stands for internet protocol, is the internet’s principal form of communications. And IP addressing is a logical means of assigning addresses to devices on a network.

What is IPv4?

IPv4, or internet protocol version 4, has been in place for more than 35 years. IPv4 uses 32-bit addresses (for example, 192.0.1.246), to route most of today’s internet traffic.

Every device from your smartphone to your doorbell camera now has an IP address.

A 32-bit address space limits the number of unique hosts to 232, which is nearly 4.3 billion IPv4 addresses. But in today’s ultra-connected world, where every device from your smartphone to your doorbell camera now has an IP address, it turns out that 4.3 billion isn’t nearly enough.

In 2011, the Internet Assigned Numbers Authority (IANA), the global coordinator of IP addressing, ran out of IPv4 addresses to allocate to regional registries. Since then, regional registries have exhausted those allocations.

In short, we’ve run out of address space.

Enter IPv6

IPv4 vs IPv6

IPv6, the most recent version of the internet protocol, uses 128-bit address space. Unlike IPv4, both letters and numbers are used as identifiers (for example, 2002:db8::8a3f:362:7897). By implementing these changes, IANA created 2128 new IP addresses, which is about 340 undecillion or 340 billion billion billion billion. A whole lot.

It has some obvious advantages, the primary one being that it’s a lot more space. With IPv6, a single network can have more addresses than the entire IPv4 address space. IPv6 exhaustion is basically impossible. (And for your dose of tech humor, there is, of course, a hypothetical IPv6 exhaustion counter out there. Nine million AD, anyone?).

Furthermore, routing tables are simpler. Admins can start from square one and be thoughtful and logical about deploying an addressing scheme. And there's plenty of room to add more.

Security was also at the forefront when IPv6 was built. On the other hand, IPv4 has had modern-day security measures tacked on after the fact. However, that’s not to say that you get a free pass to omit IPv6 space from your network security model. And the first IPv6 DDoS attack served as an important reminder.

Eliminating private networks

About 18 million IPv4 addresses were set aside for private addressing, drawn from a range known as RFC 1918. Most organizations use IPv4 private addresses on internal networks. However, devices with private addresses have no direct path to the public internet.

To access the public internet, these devices require a complex and resource-intensive workaround called network address translation (NAT).

IPv6 is NAT-free, enabling every device to communicate directly without intermediary steps.

The challenges of implementing IPv6 DNS

While IPv6 was born of necessity, that doesn’t mean that it’s something that everyone wants to dive into immediately. This is not just a configuration change. Think of it more like a challenging system migration.

Examples of IPv6 challenges

IPv6 is managed differently than IPv4, requiring a steep learning curve to master.
  • IPv4 and IPv6 are not directly interoperable. IPv6 is managed differently than IPv4, requiring a steep learning curve to master. IPv6 address formats are also longer, so they can’t be easily memorized or transcribed.
  • It’s a lot of work to test all of your applications end-to-end in an IPv6 environment. And what may work well in a small test lab may fall apart when implemented at scale.
  • Every part of your network chain has to be IPv6-compliant. Legacy network applications or devices hard-coded for IPv4 may lack IPv6 support.
  • Specifically, most IoT devices do not support IPv6. If critical IoT devices on your network aren’t IPv6-ready, then you can’t transition your network at all. This a particularly tough conundrum for the healthcare industry.
  • Tertiary content addressable memory (TCAM) quickly gets depleted when adding IPv6 addresses. TCAM stores access control lists on network routers. Routing vendors have allowed admins to tune how much TCAM to allocate to IPv4 and IPv6, with mixed results. Ultimately, enterprises end up having to buy more pricey TCAM.

Complex enterprise implementation

Enterprise implementation itself can be complex, with segmented steps and testing required at each point.

You might first start with your external-facing networks and services like web servers. Then go to your perimeter (or DMZ) networks and your data centers. And finally, your internal networks and devices. Just like your current network, you'll need an IPv6 nameserver, DNS server, and all the rest.

It’s enough to say “thanks but no thanks” and stick with IPv4. Sure, the more workarounds that you add to your IPv4 network, the more you have to manage. But it works, you understand it, and you know the network won’t break.

There is no driving event such as a government mandate forcing the transition en masse. As a result, institutional inertia will be strong enough in most organizations to keep the status quo in place. The work involved in a transition simply isn’t worth it… yet.

IPv6 DNS made easier with BlueCat

If you decide to leap (or someone else decides for you), BlueCat’s platform can help you manage your new slice of IPv6 addresses. To better assess your IPv6 readiness, we also offer virtual instructor-led training on IPv6 for DNS, DHCP, and IP address management.

AAAA records

Address records, or A records, map domain names to IP addresses in IPv4. Because IPv6 addressing is four times as long—again, instead of a 32-bit address, it’s a 128-bit address—an IPv6 record is an AAAA record (also known as quad A).

IPv4 and IPv6 DNS records

Your DNS server addresses will have both types—IPv4 and IPv6. With BlueCat, DNS resolvers—the servers that respond to users’ DNS queries to resolve a domain name and translate it to an IP address—can return the quad A record in addition to the A record. And the user’s device can decide which way it wants to go to try to reach you.

With BlueCat address manager, quad A records are simple to add.

DHCPv6 server pairs and dual-stack

To provide redundancy, BlueCat’s platform allows a pair of IPv6 DHCP servers to serve the same network. Doing so has been considered undesirable for IPv4 networks because of the limited IP address space available. But with 340 undecillion IP addresses on the IPv6 network, address exhaustion is no longer a concern.

Dual-stack example for IPv4 and IPv6 DNS

Devices with dual-stack implementation in the operating system have an IPv4 and IPv6 address. They can communicate using either protocol. BlueCat’s implementation of DHCPv6 allows enterprises to dual-stack their entire network. This allows the network to handle both connections simultaneously as the broader IP version ecosystem remains in flux. BlueCat’s platform gives you single-pane visibility, regardless of the IP version. And if you want to single stack with just an IPv6 network, BlueCat supports that, too. 

BlueCat’s platform also has built-in support for DNS64. This is a tunneling strategy to let IPv6-only devices access other devices on an IPv4 network.

The value of an IPv6 presence

Trepidation about IPv6 deployments is understandable. Today, only about 25 percent of the Alexa top 1,000 websites have sites reachable over IPv6. But that number continues to grow as large areas of the world undergo IPv6 adoption. Some emerging markets (particularly in Asia) only have IPv6 network connections.

Enterprises are realizing that they’ll lose business—or miss out on e-commerce opportunities entirely—without an IPv6 internet presence. We often hear from our customers that they at least plan to implement IPv6 migration strategies for public-facing networks so they don’t get left behind.

When your moment to transition comes, we’re ready to help. Learn more about the BlueCat platform and how it supports both networks.

Rebekah Taylor

Rebekah Taylor is a freelance writer and editor who has been translating technical speak into prose for two decades. She was previously a journalist and did communication work as a contractor for the U.S. Coast Guard in Washington, D.C. Her first job in the early 2000’s was at a small Palo Alto start-up called VMware. She holds degrees from Cornell University and Columbia University’s Graduate School of Journalism.

View more articles by Rebekah Taylor