The AAAA DNS record type was created to hold IPv6 addresses. AAAA records, pronounced “quad A records” are similar to A records. They hold a 128-bit IPv6 address instead of a 32-bit IPv4 address.
IPv6 did not exist when the original DNS specifications (RFC 1034 and 1035) were written. Only a few years later, IPv6 was created to address the problem of IPv4 address space exhaustion. The AAAA record type was introduced in RFC 1886 in 1995. RFC 3596 is the current specification for AAAA records in the DNS.
AAAA record format
Each AAAA record contains a single IPv6 address. Like all other records in the DNS, every AAAA record also has a Time-to-Live (TTL) value in seconds. Here is an example of a AAAA record in zone file format:
www.example.org. 600 AAAA 2001:0dc8:86a4:0000:0000:7a2f:2360:2341
In a DNS message travelling across the Internet, a AAAA record contains an IPv6 address stored as 16 bytes of binary data.
In zone files, web portals, and other human-friendly applications, the IPv6 address for a AAAA record is represented in string format shown above. This format consists of eight groups of four hexadecimal digits. Each group is separated by a colon and represents 16 bits of the address.
IPv6 address shortcuts
IPv6 addresses are long! Many IPv6 addresses contain groups of consecutive zero digits next to one another. As a shorthand notation, any number of consecutive groups of zeros can be replaced with two colons. Leading zeros in each group can also be omitted.
So for example the IPv6 loopback address can be legally written as “0000:0000:0000:0000:0000:0000:0000:0001” or “0:0:0:0:0:0:0:1” or simply as “::1”. These representations are all equivalent. Every IPv6 address is always 128 bits long when sent over the Internet or used by an application.
AAAA versus A
The A record type stores 32-bit IPv4 addresses. Type A records have been part of the DNS since the very beginning. IPv6 was not created until several years later. Type A records can only hold 32 bits of address, but IPv6 addresses are 128 bits long. So a new record type had to be created for IPv6 addresses: AAAA.
IPv4 addresses are 32 bits long which means there are roughly 4 billion possible IPv4 addresses. In the early days of the Internet when computers were large and few in number, this seemed like more than enough. But it wasn’t long before the IPv4 address space began to feel small.
The growth of the Internet was explosive and global. Large organizations snapped up huge ranges, or subnets, of IPv4 addresses. Computers became far more numerous. Phones, smart appliances, and many other new types of devices drove even more demand for addresses. Suddenly, 4 billion possible IPv4 addresses wasn’t nearly enough to sustain the growth of the Internet.
This led to the creation of IPv6. With 128 bit addresses, the IPv6 address space is massive compared to the IPv4 address space. There are approximately 340 trillion trillion trillion IPv6 addresses. This is 100 times the number of atoms on the surface of the Earth!
Multiple AAAA records at a name
More than one IPv6 address at a name in the DNS is typical for redundancy. This is accomplished by creating multiple AAAA records at a DNS name.
There will usually be type A records at the name as well since there are few Internet resources that only support IPv6.
Here is an example showing two type A records and two type AAAA records for www.example.org
with a TTL value of ten minutes:
www.example.org. 600 A 10.0.0.1
www.example.org. 600 A 10.0.0.2
www.example.org. 600 AAAA 2001::1000:1
www.example.org. 600 AAAA 2001::1000:2
The TTL value for all AAAA records at a single name must be identical. This is true for all the records of any type at a name.
Simultaneous queries for A and AAAA records
Clients today often perform simultaneous queries for type A and type AAAA when they are about to connect to an endpoint by name. Unfortunately, the DNS does not allow a client to retrieve both A and AAAA records with a single query. Efforts have been made to streamline this, but to date none have been adopted.
A client capable of using both IPv4 and IPv6 will usually perform two separate DNS queries for the endpoint name. One query will be of type A and the other of type AAAA. All the addresses will be sorted into a list.
The order will depend on the client implementation, local configuration, and policy. Some clients may prefer the IPv4 addresses in the type A response. Other clients may prefer the IPv6 addresses in the type AAAA response.
What TTL should you use for AAAA records?
You should use a TTL of one hour or more for AAAA records that are relatively static. Records that change frequently can have a TTL as low as a few minutes.
TTL selection in the DNS is often complicated. As we discussed in our article on TTL selection in the DNS, shorter TTLs give agility, but longer TTLs increase reliability. Longer TTLs can also decrease latency.
Shorter TTLs come with trade-offs. Use them with caution. TTLs under five minutes should be used sparingly. As a general rule of thumb, use shorter TTLs for DNS records that change frequently and longer TTLs for DNS records that are more static.
Load balancing for IPv6 endpoints
As we discussed in our article on the A record type, there are different ways to perform load balancing for address records in the DNS. Any method used for IPv4 addresses can also be used for IPv6 addresses. Typically, this includes Anycast addresses or variations on round-robin.
Load balancing for AAAA records is effectively the same as for A records. However, there is an interesting consideration that network architects must consider once AAAA records are added for an endpoint: It is not possible for the DNS to force clients to use or prefer IPv4 or IPv6.
DNS cannot enforce preference for IPv4 versus IPv6
If both A and AAAA records exist for a particular name in the DNS, a client is free to connect to any address for that name. The DNS doesn’t have any way to dictate which address should be preferred, or even which address family (IPv4 or IPv6) should be preferred. This can create interesting problems for network architects.
For example, a North American company adds IPv6 addresses for their website. They notice that few of their customers use IPv6 so to reduce costs, they do not allocate very many servers for IPv6. Fast-forward a year or two. The company expands into Asia. The use of IPv6 is more common in Asia. Suddenly, the company’s servers experience many more IPv6 requests than in the past. Since there are few IPv6 servers deployed, customers in Asia may have difficulty reaching the company’s website. The company may need to deploy more IPv6 servers to mitigate.
Domain Name System-based Blocklist (DNSBL)
DNSBLs use the DNS as a distributed database to store blocklists used to defeat email spam. DNSBLs can flag both IPv4 and IPv6 addresses as sources of spam.
A mail server can perform a DNS query with a specific format against a DNSBL to check if a sending host’s IP address has been flagged as a source of spam. In this case, the mail server might reject or throttle requests from that sender’s IP address.
For IPv6 addresses, the DNSBL contains a record at a DNS name composed of the IPv6 address in reverse order, with each hex digit in the address as a label. This is like the format for IPv4 addresses, only much longer. The DNSBL contains a record of type A, not type AAAA, at this name if the address has been flagged as a source of spam. This may seem confusing, but DNSBLs only use the A records as markers.
A mail server would follow these steps to use a DNSBL to check if an IPv6 address is a known source of spam:
- Construct a DNSBL lookup name by reversing the nibbles in the sender’s IPv6 address and appending the DNSBL’s domain name. For example, if the sender’s IPv6 address is 2001:db8:1:2:3:4:567:89ab the lookup name for the example.org DNSBL would be
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.dnsbl.example.org.
- Perform a standard DNS lookup with query type A (not type AAAA) for this lookup name.
- If the result is NXDOMAIN, there is no entry for the sender’s IP in the blocklist. This means that the sender’s IP is not flagged as a source of spam. Mail should be sent normally.
- A positive result indicates that the sender’s IP exists in the blocklist. This means the IP is considered a source of spam. A TXT lookup for the same name can be performed to retrieve the reason for blocklisting.
The address returned for a blocked IP address may be the fixed value 127.0.0.2. This indicates that the sender’s IP address has been flagged as a source of spam. Other values are also possible. See RFC 5782 section 2.3 for more details.
Looking up AAAA records for a name
The IPv6 address records for a DNS name can be queried with the dig or nslookup command line tools. To find the address records for wikipedia.org, use this command:
dig AAAA wikipedia.org
On operating systems that support nslookup, you can use the following:
nslookup -type=aaaa wikipedia.org