How do you do rDNS for IPv6 ?
I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS is supposed to work. It's clear enough how you look up any particular address, but it's not at all clear to me what you put into an rDNS zone and how you put it there. In IPv4 land, it is standard to assign matching forward and reverse DNS for every live IP, and a fair number of services treat requests from hosts without rDNS with added scepticism. For consumer networks, it's often something like 12-34-56-78.adsl.incompetent.net, with the numbers being the IP address forward or backwards. So if every customer gets a /64, what do you do? You can use a wildcard to give the same rDNS to all 2^64 addresses, but you can't do matching forward DNS, since a DNS response with 2^64 AAAA records would be, ah, a little unwieldy. When hosts self-configure their low 64 bits, do you install a suitable PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it install the DNS? Do you do something else? Signed, Confused
Hi John, On Sun, Dec 5, 2010 at 8:13 PM, John Levine <johnl@iecc.com> wrote:
I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS is supposed to work. It's clear enough how you look up any particular address, but it's not at all clear to me what you put into an rDNS zone and how you put it there.
We've already discussed this in April, and answers came to a line of "use dynamic updates" to "not necessary". Problems lay around table sizes, unnecessary PTR records created, and large end-user blocks. There are other useful tips too, including ideas for PowerDNS and Bind. Thread starts here: http://www.mail-archive.com/nanog@nanog.org/msg22908.html
Signed, Confused
Kindly, Felipe
On 06/12/2010, at 8:25 AM, Felipe Zanchet Grazziotin wrote:
Hi John,
On Sun, Dec 5, 2010 at 8:13 PM, John Levine <johnl@iecc.com> wrote:
I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS is supposed to work. It's clear enough how you look up any particular address, but it's not at all clear to me what you put into an rDNS zone and how you put it there.
There was a session at RIPE61 Rome on this very topic. the summary is: wildcard, more specific for all RR when you break out. http://ripe61.ripe.net/archives/#Thursday http://ripe61.ripe.net/programme/meeting-plan/dns-agenda/ -George
On 12/5/2010 4:25 PM, Felipe Zanchet Grazziotin wrote:
There are other useful tips too, including ideas for PowerDNS and Bind.
Yeah, PowerDNS already supports generating AAAA/PTR on the fly. I'm more of the opinion that generic hosts shouldn't have rDNS, but that will depend on banks and other institutions who sometimes make it a requirement. Jack
On Dec 5, 2010, at 2:13 PM, John Levine wrote:
I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS is supposed to work. It's clear enough how you look up any particular address, but it's not at all clear to me what you put into an rDNS zone and how you put it there.
Pretty much the same thing you put into an IPv4 zone... PTR records. For example: owen.delong.com. IN AAAA 2620:0:930::200:2 2.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.0.0.0.0.0.0.2.6.2.ip6.arpa. IN PTR owen.delong.com.
In IPv4 land, it is standard to assign matching forward and reverse DNS for every live IP, and a fair number of services treat requests from hosts without rDNS with added scepticism. For consumer networks, it's often something like 12-34-56-78.adsl.incompetent.net, with the numbers being the IP address forward or backwards.
Ah, so you're not talking about assigning to live hosts, your talking about the unfortunate habit of assigning to every possible host. Yeah, that trick doesn't work in IPv6.
So if every customer gets a /64, what do you do? You can use a wildcard to give the same rDNS to all 2^64 addresses, but you can't do matching forward DNS, since a DNS response with 2^64 AAAA records would be, ah, a little unwieldy.
First, customers should be getting more than a /64. A /64 should be a single subnet and customers should, ideally, be getting a /48 for each end site. In general, for the most part, the services that treat missing rDNS with additional skepticism also treat rDNS entries like 12-34-56-78.adsl.incompetent.net with that same or greater skepticism, so, I wouldn't worry too much about it. For hosts where it does matter, you've got to create an AAAA record somehow (just like you needed to create an A record somehow), so, you should be able to use that same process to generate the AAAA and PTR records.
When hosts self-configure their low 64 bits, do you install a suitable PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it install the DNS? Do you do something else?
If you care, you probably need to use DHCPv6 for this and it should be able to build both the AAAA and PTR records. Owen
----- Original Message -----
From: "Owen DeLong" <owen@delong.com> To: "John Levine" <johnl@iecc.com> Cc: nanog@nanog.org Sent: Sunday, 5 December, 2010 2:54:43 PM Subject: Re: How do you do rDNS for IPv6 ? On Dec 5, 2010, at 2:13 PM, John Levine wrote:
When hosts self-configure their low 64 bits, do you install a suitable PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it install the DNS? Do you do something else?
If you care, you probably need to use DHCPv6 for this and it should be able to build both the AAAA and PTR records.
Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the IP address is built based on your network and the mac address of the interface, so it is not a random number changed at every connection.... I guess when you provision the machine, you can install the AAAA and PTR record and then also put the mac address in your access lists...
On Dec 5, 2010, at 5:28 PM, Franck Martin wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com> To: "John Levine" <johnl@iecc.com> Cc: nanog@nanog.org Sent: Sunday, 5 December, 2010 2:54:43 PM Subject: Re: How do you do rDNS for IPv6 ? On Dec 5, 2010, at 2:13 PM, John Levine wrote:
When hosts self-configure their low 64 bits, do you install a suitable PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it install the DNS? Do you do something else?
If you care, you probably need to use DHCPv6 for this and it should be able to build both the AAAA and PTR records.
Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the IP address is built based on your network and the mac address of the interface, so it is not a random number changed at every connection....
I guess when you provision the machine, you can install the AAAA and PTR record and then also put the mac address in your access lists...
That answer presumes an enterprise environment. The question was from the perspective of a residential ISP. I don't think most residential ISPs would regard provisioning individual customer machines as a scalable solution. Owen
On 12/5/2010 4:13 PM, John Levine wrote:
In IPv4 land, it is standard to assign matching forward and reverse DNS for every live IP, and a fair number of services treat requests from hosts without rDNS with added scepticism. For consumer networks, it's often something like 12-34-56-78.adsl.incompetent.net, with the numbers being the IP address forward or backwards.
So if every customer gets a /64, what do you do? You can use a wildcard to give the same rDNS to all 2^64 addresses, but you can't do matching forward DNS, since a DNS response with 2^64 AAAA records would be, ah, a little unwieldy.
I thought the same thing, actually, which is why I made my own solution. I ended up writing a DNS server in perl (using Net::DNS::Nameserver) that replies to reverse queries with a reproducible PTR -- generated by encoding the IP in base32. (Or the second half of the IP, in the case of a few "known" networks.) Forward queries for the matching name decode the base32. The host-specific part of the DNS is kind of long (26 characters, or 13 for known networks), but it's marginally shorter than the full IP (which would be 32/16 characters, without separators). I'm pretty happy with the results, but I'd love to hear if anyone's come up with more elegant solutions. Jima
On Dec 5, 2010, at 9:41 PM, Jima wrote:
On 12/5/2010 4:13 PM, John Levine wrote:
In IPv4 land, it is standard to assign matching forward and reverse DNS for every live IP, and a fair number of services treat requests from hosts without rDNS with added scepticism. For consumer networks, it's often something like 12-34-56-78.adsl.incompetent.net, with the numbers being the IP address forward or backwards.
So if every customer gets a /64, what do you do? You can use a wildcard to give the same rDNS to all 2^64 addresses, but you can't do matching forward DNS, since a DNS response with 2^64 AAAA records would be, ah, a little unwieldy.
I thought the same thing, actually, which is why I made my own solution. I ended up writing a DNS server in perl (using Net::DNS::Nameserver) that replies to reverse queries with a reproducible PTR -- generated by encoding the IP in base32. (Or the second half of the IP, in the case of a few "known" networks.) Forward queries for the matching name decode the base32. The host-specific part of the DNS is kind of long (26 characters, or 13 for known networks), but it's marginally shorter than the full IP (which would be 32/16 characters, without separators). I'm pretty happy with the results, but I'd love to hear if anyone's come up with more elegant solutions.
Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i know this isn't namedroppers, but perhaps someone can post some code or examples, or a link to a webpage with them? - Jared
---- Original Message -----
From: "Jared Mauch" <jared@puck.nether.net>
Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i know this isn't namedroppers, but perhaps someone can post some code or examples, or a link to a webpage with them?
Earthlink, I believe; DENTS has a module for doing this for reverse DNS. I think it was called DENTS; there's a white paper on it, but it's pretty rough to Google, as you might expect. So far as I can see, they still use it; my sis is an EL cablemodem customer, and her rDNS is algorithmically generated. Cheers, -- jra
participants (9)
-
Felipe Zanchet Grazziotin
-
Franck Martin
-
George Michaelson
-
Jack Bates
-
Jared Mauch
-
Jay Ashworth
-
Jima
-
John Levine
-
Owen DeLong