It is theoretically possible to completely automate reverse DNS provisioning. It just requires will to do it. Enterprises have been doing automated reverse DNS provisioning for decades now using DNS UPDATE requests from DHCP servers using TSIG or GSS-TSIG. This method does it as part of prefix delegation and provides support for cryptographically secure updates by passing the public key as part of the prefix delegation request. https://www.ietf.org/archive/id/draft-andrews-dnsop-pd-reverse-02.txt You could also just allow DNS UPDATE requests over TCP/IPv6 to add/delete NS and DS records at the /48 level of reverse tree matching the TCP source address. BIND has supported this for over a decade now as it was developed to provide a mechanism to populate the 6to4 reverse zone (2.0.0.2.ip6.arpa). It didn’t get taken up as Geoff Huston decide to go the HTTP route. I would have the DHCPv6 server delete the records when the prefix delegation expires. key DHCP-SERVER { ... }; zone 8.B.D.0.1.0.0.2.ip6.arpa { ... update-policy { // limit to 10 NS records and 5 DS records. grant * 6to4-self . NS(10) DS(5); grant DHCP-SERVER subdomain *; }; }; In both cases the customer populates the delegation and adds DS records as required. This is just bolting together existing technologies. This will not take off unless ISPs buy into the mechanisms. Mark
On 20 Jul 2021, at 03:01, Bryan Fields <Bryan@bryanfields.net> wrote:
On 7/19/21 8:09 AM, Stephen Satchell wrote:
First, I know this isn't the right place to propose this; need a pointer to where to propose an outlandish idea.
What would the domain names look like? Let's take my current IP/IPv6 assignments from AT&T:
2600:1700:79b0:ddc0::/64 99.65.194.96/29
The IPv6 delegation would be easy:
0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-1. 0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-2.
Yup, simple, I do this for my customers (and DS records).
However that reverse zone has DNSSEC on it. You'd need a DS record to tie my-DNS-server-1. to the ATT DNS server and your server would need to support DNSSEC. ATT may want to enforce DNSSEC on that zone, but not want to sign stuff they can't control.
Just playing devils advocate.
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org