How do you do rDNS for IPv6 ?

I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
is supposed to work. It's clear enough how you look up any particular
address, but it's not at all clear to me what you put into an rDNS
zone and how you put it there.

In IPv4 land, it is standard to assign matching forward and reverse
DNS for every live IP, and a fair number of services treat requests
from hosts without rDNS with added scepticism. For consumer networks,
it's often something like 12-34-56-78.adsl.incompetent.net, with the
numbers being the IP address forward or backwards.

So if every customer gets a /64, what do you do? You can use a
wildcard to give the same rDNS to all 2^64 addresses, but you can't do
matching forward DNS, since a DNS response with 2^64 AAAA records
would be, ah, a little unwieldy.

When hosts self-configure their low 64 bits, do you install a suitable
PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it
install the DNS? Do you do something else?

Signed,
Confused

Hi John,

I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
is supposed to work. It's clear enough how you look up any particular
address, but it's not at all clear to me what you put into an rDNS
zone and how you put it there.

We've already discussed this in April, and answers came to a line of "use
dynamic
updates" to "not necessary".

Problems lay around table sizes, unnecessary PTR records created, and large
end-user blocks.

There are other useful tips too, including ideas for PowerDNS and Bind.

Thread starts here:
http://www.mail-archive.com/nanog@nanog.org/msg22908.html

Signed,
Confused

Kindly,
Felipe

I've been pondering IPv6 setups, and I don't understand how IPv6 rDNS
is supposed to work. It's clear enough how you look up any particular
address, but it's not at all clear to me what you put into an rDNS
zone and how you put it there.

Pretty much the same thing you put into an IPv4 zone... PTR records.

For example:

owen.delong.com. IN AAAA 2620:0:930::200:2
2.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.0.0.0.0.0.0.2.6.2.ip6.arpa. IN PTR owen.delong.com.

In IPv4 land, it is standard to assign matching forward and reverse
DNS for every live IP, and a fair number of services treat requests
from hosts without rDNS with added scepticism. For consumer networks,
it's often something like 12-34-56-78.adsl.incompetent.net, with the
numbers being the IP address forward or backwards.

Ah, so you're not talking about assigning to live hosts, your talking about
the unfortunate habit of assigning to every possible host. Yeah, that trick
doesn't work in IPv6.

So if every customer gets a /64, what do you do? You can use a
wildcard to give the same rDNS to all 2^64 addresses, but you can't do
matching forward DNS, since a DNS response with 2^64 AAAA records
would be, ah, a little unwieldy.

First, customers should be getting more than a /64. A /64 should be a single
subnet and customers should, ideally, be getting a /48 for each end site.

In general, for the most part, the services that treat missing rDNS with additional
skepticism also treat rDNS entries like 12-34-56-78.adsl.incompetent.net with
that same or greater skepticism, so, I wouldn't worry too much about it.

For hosts where it does matter, you've got to create an AAAA record somehow
(just like you needed to create an A record somehow), so, you should be
able to use that same process to generate the AAAA and PTR records.

When hosts self-configure their low 64 bits, do you install a suitable
PTR and AAAA into your DNS? If so, how? Do you use DHCPv6 and have it
install the DNS? Do you do something else?

If you care, you probably need to use DHCPv6 for this and it should be able
to build both the AAAA and PTR records.

Owen

There was a session at RIPE61 Rome on this very topic.

the summary is:

  wildcard, more specific for all RR when you break out.

http://ripe61.ripe.net/archives/#Thursday

http://ripe61.ripe.net/programme/meeting-plan/dns-agenda/

-George

Unless you use, privacy extensions, the advantage of IPv6 over IPv4 is that the IP address is built based on your network and the mac address of the interface, so it is not a random number changed at every connection....

I guess when you provision the machine, you can install the AAAA and PTR record and then also put the mac address in your access lists...

I thought the same thing, actually, which is why I made my own solution. I ended up writing a DNS server in perl (using Net::DNS::Nameserver) that replies to reverse queries with a reproducible PTR -- generated by encoding the IP in base32. (Or the second half of the IP, in the case of a few "known" networks.) Forward queries for the matching name decode the base32.
  The host-specific part of the DNS is kind of long (26 characters, or 13 for known networks), but it's marginally shorter than the full IP (which would be 32/16 characters, without separators). I'm pretty happy with the results, but I'd love to hear if anyone's come up with more elegant solutions.

      Jima

That answer presumes an enterprise environment. The question was from the perspective of a residential ISP.

I don't think most residential ISPs would regard provisioning individual customer machines as a scalable solution.

Owen

Yeah, PowerDNS already supports generating AAAA/PTR on the fly. I'm more of the opinion that generic hosts shouldn't have rDNS, but that will depend on banks and other institutions who sometimes make it a requirement.

Jack

Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i know this isn't namedroppers, but perhaps someone can post some code or examples, or a link to a webpage with them?

- Jared

Earthlink, I believe; DENTS has a module for doing this for reverse DNS.

I think it was called DENTS; there's a white paper on it, but it's pretty
rough to Google, as you might expect.

So far as I can see, they still use it; my sis is an EL cablemodem customer,
and her rDNS is algorithmically generated.

Cheers,
-- jra