Security and Stability Advisory Committee (SSAC)

The SSAC is a volunteer group of specialists in the technical security field that provides advice and insight to the ICANN community and the Board.

SAC018 | Executive Summary for Accommodating IP Version 6 Address Resource Records for the Root of the Domain Name System

[PDF, 413 KB]

This Report, issued jointly by the SSAC and RSSAC, examines the inclusion of

IPv6 addresses at the root level of the DNS, focusing on (1) the impact of including IPv6 addresses of root name servers in the configuration file commonly known as the "root hints", a file that recursive name servers initially rely on to provide recursive name service, and (2) the impact of including IPv6 addresses of root name servers in the response messages for a DNS protocol exchange ("priming") that operators use to ensure that a recursive name server always starts operation with the most up-to-date list of root name servers.

With respect to (1). including IPv6 addresses of root name servers in the root hints file will have little affect on deployed recursive name server implementations. Specifically, the RSSAC and SSAC find that the existing procedures for publishing root hints are adequate to support the addition of

IPv6 addresses of root name servers in the files made available at ftp://ftp.internic.net/domain/

With respect to (2), a number of resolvers commonly used in production networks today were tested and demonstrated capable of accepting IPv6 address records returned in response to type NS queries by TLD name servers without incident. Moreover, intermediate systems commonly used in production networks today allow DNS messages containing IPv6 addresses to pass without incident (either as a default policy or by user configuration).

The results of these tests are published companion documents SAC 016, Testing Firewalls for IPv6 and EDNS0 Support, and SAC 017, Testing Recursive Name Servers for IPv6 and EDNS0 Support.

The committees also found that DNS implementations used by all thirteen root name server operators are capable of including IPv6 records.

On the basis of the above findings, the committees conclude that adding IPv6 records for the root servers to both the hints file and the zone will have minimal impact on name server implementations and intermediate systems used in production networks.