Hi guys, I am looking for operational experience here. We have just turned up IPv6 in our "guest wireless", by way of using RA for address distribution and DHCPv6 for the DNS server address (stupid, yup). Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's my windows *and* that Ubuntu), I now see IPv6 addresses instead of names. I as a networking droid have not much quarrel with that, but I am interested in how or whether at all others handle this. Are you creating DNS entries somehow (reverse and, ultimately, forward), are you using BIND "generate" statements, are you using wildcards...or are you just ignoring this for the "dynamic boxes"? Please enlighten me! Elmar.
On 2010-09-14 14:27, Elmar K. Bins wrote:
Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA for address distribution and DHCPv6 for the DNS server address (stupid, yup).
Unfortunately not a lot of gear understands RFC5006 yet. One can opt though to just use DHCPv4 for DNS/IPv4 and RA for the IPv6 address, that is how most setups work; you don't get DNS over IPv6, but who truly cares about that? IPv4 works fine too.
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am interested in how or whether at all others handle this.
Are you creating DNS entries somehow (reverse and, ultimately, forward), are you using BIND "generate" statements, are you using wildcards...or are you just ignoring this for the "dynamic boxes"?
It all depends on the environment and why one would want to enabled reverse DNS. Do 'guests' really need reverse DNS, and if so, how would you control what those gets get in there? Instead of handpicking names or letting people insert data into your DNS servers, some people are deploying PowerDNS with custom backends for this that either convert the IPv6 address into a 128bit hex number, optionally stripping the first 64 bits and replacing that with 'autogen' or 'wlan-' or similar. Something else that I have seen is that the backend randomly picks a name from a dictionary and then assigns that 'statically' to that address. I personally only put hosts in reverse DNS that re-appear more than once. Jeroen
On 9/14/10 5:38 AM, Jeroen Massar wrote:
Instead of handpicking names or letting people insert data into your DNS servers, some people are deploying PowerDNS with custom backends for this that either convert the IPv6 address into a 128bit hex number, optionally stripping the first 64 bits and replacing that with 'autogen' or 'wlan-' or similar. Something else that I have seen is that the backend randomly picks a name from a dictionary and then assigns that 'statically' to that address.
I wildcarded the subnets that we use for dynamic assignments. statically assigned hosts get statically assigned reverse entries.
I personally only put hosts in reverse DNS that re-appear more than once.
Jeroen
On Tue, Sep 14, 2010 at 02:38:35PM +0200, Jeroen Massar wrote:
Instead of handpicking names or letting people insert data into your DNS servers, some people are deploying PowerDNS with custom backends for this that either convert the IPv6 address into a 128bit hex number, optionally stripping the first 64 bits and replacing that with 'autogen' or 'wlan-' or similar. Something else that I have seen is that the backend randomly picks a name from a dictionary and then assigns that 'statically' to that address.
As i repaired my adaption of Wichert Modderman's PowerDNS ipv6 forward/reverse walldns-style backend just yesterday, this is probably the right moment to share it [1] with you. It works with netaddr [2] > 0.7, however beware of an odd issue [3] with PowerDNS and python's sys.platform. The good thing about PowerDNS is that it is modular, so you can run several backends and type of backends at once which will get exhaused for queries in the order they are specified. [4] With a pipebackend such as the aforementioned beeing called _after_ your regular authoritative backend, you can have customized records for certain ipv6 addresses in your ranges while still providing a consistent mapping of forward and reverse records for the gazillion of ipv6 addresses. $ dig @mandelbrot.zaphods.net -x 2001:67c:1400:1220::af +short node-4v.ipv6.zaphods.net. $ dig @mandelbrot.zaphods.net aaaa node-4v.ipv6.zaphods.net +short 2001:67c:1400:1220::af Stefan [1] http://zaphods.net/~zaphodb/pdns-ipv6-reverse-backend.py [2] http://code.google.com/p/netaddr/ [3] http://code.google.com/p/netaddr/issues/detail?id=59 [4] http://doc.powerdns.com/modules.html [5] http://wiki.powerdns.com/trac PS: find the powerdns community [5] on #powerdns @ irc.oftc.net -- Hardware is the part of a computer system you can kick. Software is what makes you want to kick the hardware.
On (2010-09-14 14:27 +0200), Elmar K. Bins wrote:
I as a networking droid have not much quarrel with that, but I am interested in how or whether at all others handle this.
About year ago I spent half and hour hacking together base36 and rfc2289 stateless DNS for IPv6. I'm not making any statements on its sensibility or lack of it. I don't use it myself, as we aren't that far in our IPv6 deployment that we need to think about the problem. [ytti@lintukoto ~]% dig -x c001:dead::babe @62.236.255.181 +short bd80m2ztp38uc3l76b06mk33y.ip.fi. [ytti@lintukoto ~]% dig -x c001:dead::babe @62.236.255.182 +short mudd-do-lava-0-off-bit.ip.fi. [ytti@lintukoto ~]% dig bd80m2ztp38uc3l76b06mk33y.ip.fi. AAAA @62.236.255.181 +short c001:dead::babe [ytti@lintukoto ~]% dig mudd-do-lava-0-off-bit.ip.fi. AAAA @62.236.255.182 +short c001:dead::babe -- ++ytti
On Sep 14, 2010, at 5:27 AM, Elmar K. Bins wrote:
Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA for address distribution and DHCPv6 for the DNS server address (stupid, yup).
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am interested in how or whether at all others handle this.
Are you creating DNS entries somehow (reverse and, ultimately, forward), are you using BIND "generate" statements, are you using wildcards...or are you just ignoring this for the "dynamic boxes"?
Please enlighten me!
Elmar.
I would strongly discourage $GENERATE statements... You won't have enough memory or even disk space to hold the results. I think the choices are either live with numbers, use a wildcard, or use dynamic DNS name registration. Owen
On Tue, Sep 14, 2010 at 02:27:59PM +0200, Elmar K. Bins wrote:
Are you creating DNS entries somehow (reverse and, ultimately, forward), are you using BIND "generate" statements, are you using wildcards...or are you just ignoring this for the "dynamic boxes"?
I haven't had my coffee yet this morning, so I may be misunderstanding you... I think you're asking for some way for your v6 subnet to both have proper forward and reverse DNS, right? If so, I personally find http://member.wide.ad.jp/~fujiwara/v6rev.html very useful. If you run a "normal" DNS server on the same IP, it probably will be hard to get it working. But, if you don't, it's pretty easy. You'd want to get v6rev.pl from the page above. Here is my config example: server_address: 0.0.0.0, 2001:470:892c:3432::1 server_port: 53 pid_file: /var/run/v6rev.pid reconfig_interval: 3600 reverse_domainname: c.2.9.8.0.7.4.0.1.0.0.2.ip6.arpa #/48 tbroker home reverse_domainname: 1.0.8.c.0.7.4.0.1.0.0.2.ip6.arpa #/48 tbroker work forward_domainname: dyn.harry.lu keyfile_dir: /home/v6rev/keys ttl: 3600 nsname: dyn.harry.lu enable_dnssec: 0 querylog: 1 static_ptr: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.3.4.3.c.2.9.8.0.7.4.0.1.0.0.2.ip6.arpa harry.lu static_ptr: 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.8.c.0.7.4.0.1.0.0.2.ip6.arpa staticsample.harry.lu Now, if you check the forward and reverse DNS entries for the subnets you defined in reverse_domainname: $ dig -x 2001:470:892c::7 +short 20010470892c00000000000000000007.dyn.harry.lu. $ dig AAAA 20010470892c00000000000000000007.dyn.harry.lu +short 2001:470:892c::7 Pretty cool, eh? You can also add in your own static ones on the same subnet using static_ptr. However, I bet I totally misunderstood your question!
Re Harry, Owen and all the others, first, thank you for your feedback. Seems there is no real consensus, but people are leaning more towards "if it's dynamic, forget rDNS". The PowerDNS solution looks nice to me (alas, another chunk of software the system droids would have to maintain). I am also always fond of homegrown Scripts that get the job done. And yes, Harry... harry.nanog@harry.lu (Harry Strongburg) wrote:
However, I bet I totally misunderstood your question!
You lose your that bet :-) Thanks for the pointer to the paper. Cheers, Elmar. -- "Machen Sie sich erst einmal unbeliebt. Dann werden Sie auch ernstgenommen." (Konrad Adenauer) --------------------------------------------------------------[ ELMI-RIPE ]---
I've written an internet-draft on the subject: http://tools.ietf.org/html/draft-howard-isp-ip6rdns-04 The latest update was to add a Recommendations section: The best option is for ISPs to delegate authority along with address delegation. Where users do not operate authoritative name servers, the next best option is dynamic DNS updates. Where dynamic DNS is impractical, the next best option is to dynamically generate PTR records when queried. In other words, when you do prefix delegation to a residential customer, generate records on the fly. Ask your DNS vendor to show you how. Wildcards work if all you want is a non-null response. I'm looking for support or opposition to this. I just can't see any better way to do it. Lee
-----Original Message----- From: Elmar K. Bins [mailto:elmi@4ever.de] Sent: Tuesday, September 14, 2010 8:28 AM To: nanog@nanog.org Subject: Reverse DNS for IPv6 client networks
Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA for address distribution and DHCPv6 for the DNS server address (stupid, yup).
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am interested in how or whether at all others handle this.
Are you creating DNS entries somehow (reverse and, ultimately, forward), are you using BIND "generate" statements, are you using wildcards...or are you just ignoring this for the "dynamic boxes"?
Please enlighten me!
Elmar.
participants (8)
-
Elmar K. Bins -
Harry Strongburg -
Jeroen Massar -
Joel Jaeggli -
Lee Howard -
Owen DeLong -
Saku Ytti -
Stefan Schmidt