Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA
for address distribution and DHCPv6 for the DNS server address (stupid, yup).
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's
my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am interested
in how or whether at all others handle this.
Are you creating DNS entries somehow (reverse and, ultimately, forward),
are you using BIND "generate" statements, are you using wildcards...or
are you just ignoring this for the "dynamic boxes"?
Please enlighten me!
Elmar.
Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA
for address distribution and DHCPv6 for the DNS server address (stupid, yup).
Unfortunately not a lot of gear understands RFC5006 yet. One can opt
though to just use DHCPv4 for DNS/IPv4 and RA for the IPv6 address, that
is how most setups work; you don't get DNS over IPv6, but who truly
cares about that? IPv4 works fine too.
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe it's
my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am interested
in how or whether at all others handle this.
Are you creating DNS entries somehow (reverse and, ultimately, forward),
are you using BIND "generate" statements, are you using wildcards...or
are you just ignoring this for the "dynamic boxes"?
It all depends on the environment and why one would want to enabled
reverse DNS. Do 'guests' really need reverse DNS, and if so, how would
you control what those gets get in there?
Instead of handpicking names or letting people insert data into your DNS
servers, some people are deploying PowerDNS with custom backends for
this that either convert the IPv6 address into a 128bit hex number,
optionally stripping the first 64 bits and replacing that with 'autogen'
or 'wlan-' or similar. Something else that I have seen is that the
backend randomly picks a name from a dictionary and then assigns that
'statically' to that address.
I personally only put hosts in reverse DNS that re-appear more than once.
Jeroen
Instead of handpicking names or letting people insert data into your DNS
servers, some people are deploying PowerDNS with custom backends for
this that either convert the IPv6 address into a 128bit hex number,
optionally stripping the first 64 bits and replacing that with 'autogen'
or 'wlan-' or similar. Something else that I have seen is that the
backend randomly picks a name from a dictionary and then assigns that
'statically' to that address.
I wildcarded the subnets that we use for dynamic assignments. statically
assigned hosts get statically assigned reverse entries.
As i repaired my adaption of Wichert Modderman's PowerDNS ipv6
forward/reverse walldns-style backend just yesterday, this is probably
the right moment to share it [1] with you.
It works with netaddr [2] > 0.7, however beware of an odd issue [3] with
PowerDNS and python's sys.platform.
The good thing about PowerDNS is that it is modular, so you can run several
backends and type of backends at once which will get exhaused for queries in
the order they are specified. [4]
With a pipebackend such as the aforementioned beeing called _after_ your
regular authoritative backend, you can have customized records for certain
ipv6 addresses in your ranges while still providing a consistent mapping of
forward and reverse records for the gazillion of ipv6 addresses.
$ dig @mandelbrot.zaphods.net -x 2001:67c:1400:1220::af +short
node-4v.ipv6.zaphods.net.
$ dig @mandelbrot.zaphods.net aaaa node-4v.ipv6.zaphods.net +short
2001:67c:1400:1220::af
Stefan
[1] http://zaphods.net/~zaphodb/pdns-ipv6-reverse-backend.py
[2] http://code.google.com/p/netaddr/
[3] http://code.google.com/p/netaddr/issues/detail?id=59
[4] http://doc.powerdns.com/modules.html
[5] http://wiki.powerdns.com/trac
PS: find the powerdns community [5] on #powerdns @ irc.oftc.net
About year ago I spent half and hour hacking together base36 and rfc2289
stateless DNS for IPv6. I'm not making any statements on its sensibility or
lack of it. I don't use it myself, as we aren't that far in our IPv6
deployment that we need to think about the problem.
[ytti@lintukoto ~]% dig -x c001:dead::babe @62.236.255.181 +short
bd80m2ztp38uc3l76b06mk33y.ip.fi.
[ytti@lintukoto ~]% dig -x c001:dead::babe @62.236.255.182 +short
mudd-do-lava-0-off-bit.ip.fi.
[ytti@lintukoto ~]% dig bd80m2ztp38uc3l76b06mk33y.ip.fi. AAAA
@62.236.255.181 +short
c001:dead::babe
[ytti@lintukoto ~]% dig mudd-do-lava-0-off-bit.ip.fi. AAAA @62.236.255.182
+short
c001:dead::babe
I would strongly discourage $GENERATE statements... You won't have enough
memory or even disk space to hold the results.
I think the choices are either live with numbers, use a wildcard, or use dynamic
DNS name registration.
Owen
I haven't had my coffee yet this morning, so I may be misunderstanding
you... I think you're asking for some way for your v6 subnet to both
have proper forward and reverse DNS, right? If so, I personally find
http://member.wide.ad.jp/~fujiwara/v6rev.html very useful.
If you run a "normal" DNS server on the same IP, it probably will be
hard to get it working. But, if you don't, it's pretty easy. You'd want
to get v6rev.pl from the page above.
Here is my config example:
server_address: 0.0.0.0, 2001:470:892c:3432::1
server_port: 53
pid_file: /var/run/v6rev.pid
reconfig_interval: 3600
reverse_domainname: c.2.9.8.0.7.4.0.1.0.0.2.ip6.arpa
#/48 tbroker home
reverse_domainname: 1.0.8.c.0.7.4.0.1.0.0.2.ip6.arpa
#/48 tbroker work
forward_domainname: dyn.harry.lu
keyfile_dir: /home/v6rev/keys
ttl: 3600
nsname: dyn.harry.lu
enable_dnssec: 0
querylog: 1
static_ptr: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.3.4.3.c.2.9.8.0.7.4.0.1.0.0.2.ip6.arpa harry.lu
static_ptr: 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.8.c.0.7.4.0.1.0.0.2.ip6.arpa staticsample.harry.lu
Now, if you check the forward and reverse DNS entries for the subnets
you defined in reverse_domainname:
$ dig -x 2001:470:892c::7 +short
20010470892c00000000000000000007.dyn.harry.lu.
$ dig AAAA 20010470892c00000000000000000007.dyn.harry.lu +short
2001:470:892c::7
Pretty cool, eh? You can also add in your own static ones on the same
subnet using static_ptr.
However, I bet I totally misunderstood your question!
Re Harry, Owen and all the others,
first, thank you for your feedback. Seems there is no real
consensus, but people are leaning more towards "if it's dynamic,
forget rDNS".
The PowerDNS solution looks nice to me (alas, another chunk of
software the system droids would have to maintain). I am also
always fond of homegrown Scripts that get the job done.
And yes, Harry...
I've written an internet-draft on the subject:
The latest update was to add a Recommendations section:
The best option is for ISPs to delegate authority along with address
delegation. Where users do not operate authoritative name servers,
the next best option is dynamic DNS updates. Where dynamic DNS is
impractical, the next best option is to dynamically generate PTR
records when queried.
In other words, when you do prefix delegation to a residential
customer, generate records on the fly. Ask your DNS vendor to
show you how. Wildcards work if all you want is a non-null response.
I'm looking for support or opposition to this. I just can't see any
better way to do it.
Lee
From: Elmar K. Bins [mailto:elmi@4ever.de]
Sent: Tuesday, September 14, 2010 8:28 AM
To: nanog@nanog.org
Subject: Reverse DNS for IPv6 client networks
Hi guys,
I am looking for operational experience here.
We have just turned up IPv6 in our "guest wireless", by way of using RA
for address distribution and DHCPv6 for the DNS server address (stupid,
yup).
Apart from the dhcp6 part seemingly not working on Juniper ISGs (or maybe
it's
my windows *and* that Ubuntu), I now see IPv6 addresses instead of names.
I as a networking droid have not much quarrel with that, but I am
interested