DNS over IPv6 for India Domains Sample (2020-12)
DNS Institute's research of a small sample of popular India domain names indicated that 28% completely failed for DNS over IPv6. DNS Institute performs comprehensive DNS analysis, security testing, and commercial monitoring of nameservers and domains for S&P Global Top 100 Banks, Fortune 500 companies, US government, and various TLDs based on IETF RFC specifications and best practices, government requirements, and registry guidelines.
The government of India has had a IPv6 transition plan for several years. The entire .in TLD domain space was supposed to support IPv6 by June 2014 and then revised to be completed by January, 2017. Also by 2017, all content and application providers and the complete financial ecosystem including payment gateways should endeavor to adopt IPv6. The timelines were revised last February, 2020 that "All Government organizations should complete IPv6 transition latest by March, 2020" and service providers should be IPv6 ready by December, 2020.
Version-II of the National IPv6 Deployment Roadmap (2016-11) documented that DNS is involved in the transition, the services should support AAAA records, approved websites must use global addresses and work with IPv6, and TLD nameservers should be able to be reached over IPv6. It was also recommended for IPv6 enabled domains that DNSSEC also be enabled.
DNS Institute did a quick DNS research study of 150 domains for financial institutions, popular websites, news media, and government organizations in India. From this baseline, we found that:
- 28% completely failed for DNS over IPv6.
- 54% were missing AAAA IPv6 address records for one or more of their nameservers (delegated from a parent).
- 0.6% had UDP and TCP timeouts for a IPv6 nameserver address.
- 0.5% had nameservers that had a TCP failure over IPv6.
- 0.6% had only a single nameserver address.
- 0.8% had only one working nameserver.
- 25% failed to have working nameservers in different topological IPv6 networks.
- 30% had at least one nameserver not reachable via IPv6.
- For domains that had IPv6 addresses for their nameservers, none used private or non-global addresses.
A few selected examples include:
- airtel.in nameservers resolved to the same IPv6 address and it timed out.
- delhimetrorail.com nameservers didn't have AAAA records.
- indiapost.gov.in nameservers had a TCP failure or TCP connection reset.
- ap.gov.in had a nameserver that responded with a Recursion Available flag (RA).
- bsnl.co.in and tdscpc.gov.in had DNSSEC signatures but not in parent delegations. Neither of these domains worked over IPv6 (no AAAA addresses for nameservers and connection timeout, respectively).
DNS Institute detected 4807 issues over IPv6 for the 150 domains studied with 39 unique issue types. Only 0.5% of the domains had DNSSEC signatures and only 0.3% validated with a chain of trust. For information about the DNS analysis service, please visit http://www.dnsinstitute.com/dns-monitoring/ or contact the DNS Institute. You may contact DNS Institute for a free DNS over IPv6 analysis. DNS Institute frequently publishes DNS research and educational reports. Follow them via Twitter at https://twitter.com/DNSInstitute and Facebook at https://facebook.com/dnsinst/.