IPv6 data shows DNS issues are gone

Geoff Huston's advertising-based experiments reveal that the negative impact of DNS resolution via IPv6 is now negligible. APNIC's measuring ipv6 This data drives the core thesis: the internet has shifted from asking if IPv6 breaks DNS to confirming it is ready for widespread, normative deployment as a Best Current Practice.

The discussion, featured on APNIC's PING podcast, dissects the complexities of defining normative protocol behavior within modern ecosystems. By using a glueless DNS model, researchers can isolate specific resolver behaviors without the noise of typical measurement artefacts like premature session closures. This approach allows for precise execution of advertising-based experiments that constrain queries to IPv6 only, forcing resolvers to demonstrate true capability rather than relying on fallback mechanisms.

Readers will learn how these refined measurements challenge legacy assumptions about IPv6 reliability across different geographic regions and origin networks. The article details why updating RFC 3901 is critical for codifying these operational realities into binding standards. Furthermore, it explores how the absence of traditional "glue" records exposes hidden dependencies in the chain between end users, resolver providers, and authoritative servers. As the IETF considers elevating these guidelines, understanding these constraint-based results becomes essential for anyone shaping future DNS transport policies.

The Role of Normative Protocol Behavior in Modern DNS Ecosystems

Defining Normative Protocol Behavior for DNS over IPv6

Mandatory DNS over IPv6 interactions derive directly from IETF standards defining normative protocol behavior. RFC 3901 appeared in 2004 as "DNS IPv6 Transport Operational Guidelines" per IETF records. This framework transforms suggestions into enforceable rules governing packet exchanges between resolvers and authoritative servers. George Michaelson article data shows the definition of normative behavior will shape future deployment decisions, implementation choices, and operational dependencies. Implementations like BIND and Unbound must follow these strictures to guarantee interoperability across diverse networks.

Theory conflicts with operational reality in current deployments. While 30.5% of DNS queries are now for IPv6 addresses, only 43.3% of servers are fully IPv6-capable based on available measurement data. This discrepancy forces operators to maintain dual-stack configurations rather than relying solely on normative behavior. Legacy transport persists because the system lacks universal adherence to specified protocol mechanics.

Ignoring these gaps creates measurable resolution failure during IPv6-only incidents. Operators cannot assume path reliability without verifying upstream authoritative server capabilities first. Incomplete adoption results in unavailable services when IPv4 paths get removed.

according to Operationalizing IPv6 Readiness via Glueless DNS Measurements

APNIC blog, glueless DNS models force recursive resolvers to perform separate lookups when authoritative servers omit glue records. This mechanism isolates IPv6 connectivity by constraining the secondary nameserver query to IPv6 transport only, removing reliance on cached A records. The technique eliminates measurement noise caused by premature browser session termination or user distraction during advertising-based tests. As reported by ACM Internet Measurement Conference, researchers like Tobias Fiebig found significant variance in success rates across different origin-AS regions. Strict glueless enforcement may artificially inflate failure metrics for resolvers relying on legacy optimization paths. Operators defining BCP guidelines must weigh pure protocol compliance against actual user experience degradation in mixed-stack environments.

Distinguishing theoretical reachability from operational reliability defines normative behavior. A resolver failing a glueless test lacks true independence from IPv4 infrastructure despite claiming dual-stack support. Ignoring this distinction creates a fragile system where DNS resolution collapses silently under IPv4 congestion. True readiness demands proof of standalone function rather than assumed fallback availability. Client demand outpaces infrastructure support, creating a resolution bottleneck. Normative protocol behavior dictates that resolvers must retry over alternative transports when primary paths fail, yet this adds latency. The mechanism relies on strict adherence to RFC 3901 transport guidelines to prevent total resolution failure during these gaps. Mismatched capabilities produce measurable timeout errors for end users awaiting fallback procedures. Maintaining strict IPv6-only testing regimes conflicts with ensuring uninterrupted service for legacy-dependent clients. Most operators prioritize availability over pure protocol compliance during transitional phases. Deploying glueless DNS measurements reveals hidden dependencies that standard health checks miss. Increased query volume simply increases existing fragility in the edge network without synchronized upgrades across the resolver chain.

Inside the Glueless DNS Model and Measurement Artefacts

Glueless DNS Mechanics: per Forcing Explicit IPv6 Resolution

APNIC blog, glueless DNS models omit auxiliary records, forcing resolvers to execute separate IPv6-only lookups for nameserver addresses. This mechanism isolates transport capability by removing the automatic fallback to IPv4 glue records typically found in the additional section. The process requires two distinct steps: first, the resolver receives a referral without IP addresses; second, it must resolve the nameserver's address using only IPv6 transport.

1. Authoritative servers withhold A/AAAA records in referrals.
2. Resolvers initiate a new query constrained to IPv6 sockets.
3. Resolution succeeds or fails strictly on IPv6 path viability.

Recent large-scale studies utilizing 90 million DNS measurements confirm this approach eliminates measurement artefacts caused by premature user session termination or advertisement-triggered noise. However, the cost is increased latency during the initial lookup phase when glue is absent from the cache. Unlike standard resolution where IPv4 glue often masks IPv6 failures, this model exposes true dependency states.

The implication for network engineers is clear: normative behavior definitions now demand explicit verification of IPv6 paths rather than assuming connectivity through legacy transports. Based on APNIC blog, glueless DNS models eliminate errors from premature browser closes by forcing explicit IPv6 resolver queries. Standard dual-stack measurements often conflate user abandonment with genuine connectivity failure when advertisement-based tests trigger before a page loads completely. The mechanism works by withholding glue records, strong the recursive resolver to initiate a fresh, IPv6-constrained lookup for the nameserver address rather than relying on cached IPv4 hints.

1. Authoritative servers omit auxiliary IP addresses in referrals.
2. Resolvers must perform a separate query strictly over IPv6.3. Success metrics reflect pure transport viability without session noise.

However, this isolation introduces a trade-off: strict IPv6 enforcement may mask hybrid-network durability where fallback mechanisms usually preserve uptime. Unlike ad-driven approaches suffering from attention drift, this method captures deterministic protocol behavior independent of end-user patience.

Meanwhile, the cost is operational complexity in test deployment, as synthetic transactions require precise server-side configuration to suppress glue. Pure protocol validation remains necessary for defining normative behavior. ### according to Glueless Model Versus Traditional DNS Resolution Fallback

APNIC blog, glueless DNS forces explicit IPv6 lookups by withholding auxiliary records, preventing the automatic IPv4 fallback common in traditional resolution. Standard dual-stack operations rely on glue records within the additional section to populate cache with both A and AAAA addresses, allowing resolvers to bypass transport failures by switching protocols silently. The glueless method strips this safety net, strong the resolver to issue a fresh query constrained strictly to IPv6 sockets when resolving nameserver addresses. However, strict isolation reveals a hidden dependency: operators assuming implicit IPv4 redundancy may face total resolution failure if IPv6 paths drop packets without generating ICMP errors.

The glueless DNS model eliminates browser session noise by withholding auxiliary records, forcing explicit IPv6 lookups that advertisement-based tests often miss due to premature user closure. Standard resolution relies on cached data to mask transport failures, whereas this method compels resolvers to query nameserver addresses strictly over IPv6 sockets. This approach isolates protocol viability from the variable duration of human attention spans during ad-triggered tests.

Operators must configure zones to omit A and AAAA records for delegated nameservers to replicate these conditions.

1. Edit zone files to remove auxiliary IP addresses in the additional section.
2. Restrict probe socket policies to reject any IPv4 response codes during resolution.
3. Validate logs for distinct query chains indicating successful forced IPv6 retrieval.

The cost of this strict isolation is increased latency for resolvers lacking strong IPv6 paths, a trade-off acceptable for measurement accuracy but risky for production user experience.

Normative Behavior Definitions in RFC 3901 Updates

The IETF August 2025 discussion on RFC 3901 bis establishes that defining normative behavior determines whether IPv6-only DNS achieves Best Current Practice status. Without explicit strongly binding terms, operators lack the authority to disable legacy IPv4 transport dependencies in production environments. The disparity between query volume and server capability creates operational ambiguity when standards remain descriptive rather than prescriptive. Rising enterprise reliance on private AI deployments drives demand for precise protocol definitions that eliminate fallback uncertainty. However, mandating IPv6-only resolution risks breaking connectivity for the significant portion of infrastructure still lacking dual-stack readiness. This tension forces network architects to choose between strict compliance and universal accessibility based on specific user base requirements. Operators must evaluate their tolerance for resolution failures against the strategic benefit of simplified network stacks. Clear definitions will ultimately dictate the pace of infrastructure modernization across the sector.

Enterprise Modernization Drivers: as reported by 5G and Private AI Deployments

Market Context Data, the global 5G services market will reach USD 667.90 billion by 2027, forcing DNS infrastructure to abandon IPv4 crutches for pure scale. This massive expansion demands transport layers that handle exponential query volumes without legacy fallback delays. Private artificial intelligence clusters introduce strict latency budgets that dual-stack ambiguity cannot satisfy. Per Market Context Data, at least 15% of enterprises will shift toward private AI deployments by 2027, increasing technical demands on name resolution precision. These environments require deterministic path selection where IPv6-only DNS eliminates race conditions inherent in happy eyeballs algorithms. The cost is operational complexity; removing IPv4 removes a failure domain but also removes a backup path during transition errors.

In practice, based on market Context Data, over 75% of global enterprises plan to modernize network infrastructure by 2027, yet many retain legacy transport defaults. Retaining dual-stack logic for non-critical paths wastes compute cycles needed for AI inference tasks. The limitation remains that upstream providers must guarantee full IPv6 reachability before disabling IPv4 resolvers entirely. Operators should adopt glueless measurement techniques to validate readiness before committing to single-stack production environments. Failure to isolate these variables risks outages when private AI workloads attempt resolution over untested paths. This disparity forces recursive resolvers to wait for IPv6 transport timeouts before attempting fallback A-record lookups, degrading user experience during the transition window. Operators deploying IPv6-only DNS without verifying upstream authority readiness risk total service outages for domains lacking explicit AAAA records. | Deployment Model | Failure Mode | Risk Profile | | :--- | :--- | :--- | | Dual-Stack DNS | Happy Eyeballs delay | Moderate latency | | IPv6-Only DNS | Total settlement failure | Critical outage |

Reliance on normative behavior definitions in updated RFC 3901 standards assumes universal provider compliance that current infrastructure metrics do not support. InterLIR recommends auditing authoritative chains for specific domains before enforcing strict IPv6 policies on enterprise resolvers. Blind adoption ignores the reality that nearly half of global nameservers cannot yet sustain independent IPv6 transactions without glue assistance.