Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

PTR records for v6 hosts

  

 
nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


sethm at rollernet

Aug 30, 2009, 11:42 AM

Post #1 of 23 (3321 views)
Permalink
PTR records for v6 hosts
I'm curious as to how everyone is doing PTR records in DNS for their v6
hosts. Are you just letting autoconf hosts go without? Do you manually
create one once you know what it's autoconf address will be? Or do you
use DHCP with a predefined pool that's easy to create a PTR range for?

~Seth


ron at spawar

Aug 30, 2009, 12:11 PM

Post #2 of 23 (3255 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On Aug 30, 2009, at 8:42 AM, Seth Mattinen wrote:

> I'm curious as to how everyone is doing PTR records in DNS for their
> v6
> hosts. Are you just letting autoconf hosts go without? Do you manually
> create one once you know what it's autoconf address will be? Or do you
> use DHCP with a predefined pool that's easy to create a PTR range for?

We wrote a tool that regularly polls the routers, grabs the ARP and ND
tables (using appropriate snmp MIBs), looks for all the global unicast
IPv6 addresses in the list, and then using their MAC address we map to
the associated IPv4 address, then use that to look up the IPv4 PTR
record in DNS, then use that to build an IPv6 PTR record and use
dynamic DNS update to update the zone (with various optimizations such
as caching, garbage collection, etc). That works well for us
(dealing with thousands of v6 hosts on our net), although there are
challenges with differences in how each vendor implements the v6 MIBs,
and churn from those horrible privacy/temporary addresses [RFCs 3041,
4941] that that all Microsoft OS's enable by default). This, of
course, is assuming each host has some amount of IPv4 and IPv6
activity, but in reality it works just fine over time.

--Ron
Attachments: smime.p7s (4.82 KB)


stig at venaas

Aug 30, 2009, 4:26 PM

Post #3 of 23 (3258 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Hi Ron

Ron Broersma wrote:
>
> On Aug 30, 2009, at 8:42 AM, Seth Mattinen wrote:
>
>> I'm curious as to how everyone is doing PTR records in DNS for their v6
>> hosts. Are you just letting autoconf hosts go without? Do you manually
>> create one once you know what it's autoconf address will be? Or do you
>> use DHCP with a predefined pool that's easy to create a PTR range for?
>
> We wrote a tool that regularly polls the routers, grabs the ARP and ND
> tables (using appropriate snmp MIBs), looks for all the global unicast
> IPv6 addresses in the list, and then using their MAC address we map to
> the associated IPv4 address, then use that to look up the IPv4 PTR
> record in DNS, then use that to build an IPv6 PTR record and use dynamic
> DNS update to update the zone (with various optimizations such as
> caching, garbage collection, etc). That works well for us (dealing

I've written the exact same tool :)

Stig

> with thousands of v6 hosts on our net), although there are challenges
> with differences in how each vendor implements the v6 MIBs, and churn
> from those horrible privacy/temporary addresses [RFCs 3041, 4941] that
> that all Microsoft OS's enable by default). This, of course, is
> assuming each host has some amount of IPv4 and IPv6 activity, but in
> reality it works just fine over time.
>
> --Ron
>


martin at airwire

Aug 31, 2009, 12:14 AM

Post #4 of 23 (3254 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Seth Mattinen wrote:
> I'm curious as to how everyone is doing PTR records in DNS for their v6
> hosts. Are you just letting autoconf hosts go without? Do you manually
> create one once you know what it's autoconf address will be? Or do you
> use DHCP with a predefined pool that's easy to create a PTR range for?

We let our DNS create hostnames (ptr and aaaa) on the fly/dynamically,
based on a prefix pattern. For that we used powerdns and the pipe backend.

I didn't feel like generating tons of zone files.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


Sam.Wilson at ed

Aug 31, 2009, 2:08 AM

Post #5 of 23 (3248 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On 31 Aug 2009, at 00:26, Stig Venaas wrote:

> Ron Broersma wrote:
>> We wrote a tool ...
>
> I've written the exact same tool :)

So which release of BIND will have this in the contrib directory?
(Unless I've missed it already, of course.)

:-)

Sam

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


bjorn at mork

Aug 31, 2009, 2:41 AM

Post #6 of 23 (3247 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Ron Broersma <ron [at] spawar> writes:

> We wrote a tool that regularly polls the routers, grabs the ARP and ND
> tables (using appropriate snmp MIBs), looks for all the global unicast
> IPv6 addresses in the list, and then using their MAC address we map to
> the associated IPv4 address, then use that to look up the IPv4 PTR
> record in DNS, then use that to build an IPv6 PTR record and use
> dynamic DNS update to update the zone (with various optimizations such
> as caching, garbage collection, etc). That works well for us
> (dealing with thousands of v6 hosts on our net), although there are
> challenges with differences in how each vendor implements the v6 MIBs,
> and churn from those horrible privacy/temporary addresses [RFCs 3041,
> 4941] that that all Microsoft OS's enable by default). This, of
> course, is assuming each host has some amount of IPv4 and IPv6
> activity, but in reality it works just fine over time.

Nice solution for dual stack hosts. But how do you plan to support IPv6
only hosts?

And does anyone have a proposal that would fit an ISP environment? Lets
say you use DHCP-PD to delegate a prefix to a customer, who is in full
control of his own "residential gateway" so you can't look up his
neigbour table. What do you do?

- Delegate the reverse zone to the customer? Most won't have a clue
what to do with it.
- Provide a DDNS solution for the customer and not care whether they use
it or not? Most won't use it.
- Set up an IPv6 "walldns" (to borrow terminology from DJB)? I don't
really see the point. How is a pointer record like
x20010db800000000021a73fffe502834.example.com better than just not
having a pointer?




Bjørn


lionel at mamane

Aug 31, 2009, 2:53 AM

Post #7 of 23 (3253 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On Mon, Aug 31, 2009 at 11:41:32AM +0200, Bjørn Mork wrote:
> Ron Broersma <ron [at] spawar> writes:

>> We wrote a tool that regularly polls the routers, grabs the ARP and
>> ND tables (using appropriate snmp MIBs), looks for all the global
>> unicast IPv6 addresses in the list, and then using their MAC
>> address we map to the associated IPv4 address, then use that to
>> look up the IPv4 PTR record in DNS, then use that to build an IPv6
>> PTR record (...)

> And does anyone have a proposal that would fit an ISP environment? Lets
> say you use DHCP-PD to delegate a prefix to a customer, who is in full
> control of his own "residential gateway" so you can't look up his
> neigbour table. What do you do?

Well, given how few "residential gateway"s have a decent support for
IPv6 anyway...

> - Delegate the reverse zone to the customer? Most won't have a clue
> what to do with it.

I can imagine that once IPv6 support has "settled in", that will be
the standard solution, supported by most residential gateways.

--
Lionel


martin at airwire

Aug 31, 2009, 3:07 AM

Post #8 of 23 (3255 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Lionel Elie Mamane wrote:
> On Mon, Aug 31, 2009 at 11:41:32AM +0200, Bjørn Mork wrote:
>> Ron Broersma <ron [at] spawar> writes:
>
>>> We wrote a tool that regularly polls the routers, grabs the ARP and
>>> ND tables (using appropriate snmp MIBs), looks for all the global
>>> unicast IPv6 addresses in the list, and then using their MAC
>>> address we map to the associated IPv4 address, then use that to
>>> look up the IPv4 PTR record in DNS, then use that to build an IPv6
>>> PTR record (...)
>
>> And does anyone have a proposal that would fit an ISP environment? Lets
>> say you use DHCP-PD to delegate a prefix to a customer, who is in full
>> control of his own "residential gateway" so you can't look up his
>> neigbour table. What do you do?
>
> Well, given how few "residential gateway"s have a decent support for
> IPv6 anyway...


With that attitude, you'll never get IPv6 to residential customers
deployed !!


>> - Delegate the reverse zone to the customer? Most won't have a clue
>> what to do with it.
>
> I can imagine that once IPv6 support has "settled in", that will be
> the standard solution, supported by most residential gateways.


A resolution is only found, when the ISPs start to develop it. Until
now, the majority of the market has been sitting for 10 years doing
nothing waiting what everybody else is doing. That's why we're in this
situation in the first place.

To come back to the DNS solution, we hand out a PTR/AAAA record for all
IPv6 adresses (example ptr-1.mve.ipng.airwire.ie. or
ptr-1f01aaaa1231.knr.ipng.airwire.ie.). The customers can customize
these via a web-portal. DNS is handled via PowerDNS pipe backend, which
runs a custom script to deliver the results.

That works for now. The downside is, that it prevents DNSSEC from being
used, as the zone is dynamically generated.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


martin at millnert

Aug 31, 2009, 3:14 AM

Post #9 of 23 (3248 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On Mon, 2009-08-31 at 11:41 +0200, Bjørn Mork wrote:
> Ron Broersma <ron [at] spawar> writes:
>
<snip>
>
> Nice solution for dual stack hosts. But how do you plan to support IPv6
> only hosts?
>
> And does anyone have a proposal that would fit an ISP environment? Lets
> say you use DHCP-PD to delegate a prefix to a customer, who is in full
> control of his own "residential gateway" so you can't look up his
> neigbour table. What do you do?
>
> - Delegate the reverse zone to the customer? Most won't have a clue
> what to do with it.
> - Provide a DDNS solution for the customer and not care whether they use
> it or not? Most won't use it.
> - Set up an IPv6 "walldns" (to borrow terminology from DJB)? I don't
> really see the point. How is a pointer record like
> x20010db800000000021a73fffe502834.example.com better than just not
> having a pointer?
>

Hi,

as long as you delegate a coherent prefix (and remember which one), you
can always at the bare minimum set up a wildcard match for your branch
of the ip6.arpa tree, that points to some customer name. BIND supports
this at least. You probably have to understand how labels and wildcard
matching works (see RFCs) to understand how to use it though. (I think
most people on this list do though :) )
For forward records I believe the easiest thing to do is to let users
manage that themselves via some web application, if you have the support
for that. We (ISP) are going to implement this soon.

And generally, I think they primary key everbody is looking for (but not
everybody can utilize, of course), is an interface's MAC address
(optionally tied to interface's owners - the host's - hostname, if you
want), not the interface's IPv4 domain name. We are lucky enough to be
able to use L2 information ourselves, so, we're going for the MAC as a
key. To make things better, we're just going to setup classic default
names for the addresses, but let users have the possibility to override
these names with their own names.
Updates go via a web interface, and not DDNS. Really don't see how
anything get's better if typical stupid user's windows-hostnames, that
usually make no sense whatsoever, go into the domain name system.

Cheers,
--
Martin Millnert <martin [at] millnert>
Attachments: signature.asc (0.19 KB)


mohsen.souissi at nic

Aug 31, 2009, 3:31 AM

Post #10 of 23 (3252 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On 31 Aug, Bjørn Mork wrote:
| Ron Broersma <ron [at] spawar> writes:
|
| > We wrote a tool that regularly polls the routers, grabs the ARP and ND
| > tables (using appropriate snmp MIBs), looks for all the global unicast
| > IPv6 addresses in the list, and then using their MAC address we map to
| > the associated IPv4 address, then use that to look up the IPv4 PTR
| > record in DNS, then use that to build an IPv6 PTR record and use
| > dynamic DNS update to update the zone (with various optimizations such
| > as caching, garbage collection, etc). That works well for us
| > (dealing with thousands of v6 hosts on our net), although there are
| > challenges with differences in how each vendor implements the v6 MIBs,
| > and churn from those horrible privacy/temporary addresses [RFCs 3041,
| > 4941] that that all Microsoft OS's enable by default). This, of
| > course, is assuming each host has some amount of IPv4 and IPv6
| > activity, but in reality it works just fine over time.
|
| Nice solution for dual stack hosts. But how do you plan to support IPv6
| only hosts?
|
| And does anyone have a proposal that would fit an ISP environment? Lets
| say you use DHCP-PD to delegate a prefix to a customer, who is in full
| control of his own "residential gateway" so you can't look up his
| neigbour table. What do you do?
|
| - Delegate the reverse zone to the customer? Most won't have a clue
| what to do with it.
| - Provide a DDNS solution for the customer and not care whether they use
| it or not? Most won't use it.
| - Set up an IPv6 "walldns" (to borrow terminology from DJB)? I don't
| really see the point. How is a pointer record like
| x20010db800000000021a73fffe502834.example.com better than just not
| having a pointer?


==> You may want to have a look at this I-D which is related to the
topic: http://tools.ietf.org/html/draft-howard-isp-ip6rdns-00 (I
haven't read it yet, just browsed through).

Mohsen.


spz at serpens

Aug 31, 2009, 3:48 AM

Post #11 of 23 (3250 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Hi,

Thus wrote Bjørn Mork (bjorn [at] mork):

> Nice solution for dual stack hosts. But how do you plan to support IPv6
> only hosts?
>
> And does anyone have a proposal that would fit an ISP environment? Lets
> say you use DHCP-PD to delegate a prefix to a customer, who is in full
> control of his own "residential gateway" so you can't look up his
> neigbour table. What do you do?

Why would you do anything different from what you would do in the IPv4
case? Just because there are more addresses doesn't mean there are
necessarily more addresses in use that want reverse, after all.

I think if you have an answer to that you'll also have your answer
to what you want/need to do.

Generally, I'd say don't create reverse unless it is requested.

regards,
spz
--
spz [at] serpens (S.P.Zeidler)


bjorn at mork

Aug 31, 2009, 4:02 AM

Post #12 of 23 (3256 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Lionel Elie Mamane <lionel [at] mamane> writes:
> On Mon, Aug 31, 2009 at 11:41:32AM +0200, Bjørn Mork wrote:
>> Ron Broersma <ron [at] spawar> writes:
>
>>> We wrote a tool that regularly polls the routers, grabs the ARP and
>>> ND tables (using appropriate snmp MIBs), looks for all the global
>>> unicast IPv6 addresses in the list, and then using their MAC
>>> address we map to the associated IPv4 address, then use that to
>>> look up the IPv4 PTR record in DNS, then use that to build an IPv6
>>> PTR record (...)
>
>> And does anyone have a proposal that would fit an ISP environment? Lets
>> say you use DHCP-PD to delegate a prefix to a customer, who is in full
>> control of his own "residential gateway" so you can't look up his
>> neigbour table. What do you do?
>
> Well, given how few "residential gateway"s have a decent support for
> IPv6 anyway...

Oh, that's improving tremendously at the moment. And both the BBF and
the IETF are working on IPv6 recommendations for these boxes.

>> - Delegate the reverse zone to the customer? Most won't have a clue
>> what to do with it.
>
> I can imagine that once IPv6 support has "settled in", that will be
> the standard solution, supported by most residential gateways.

Right. Thanks for the idea. I do have a few places where I can push
things like that. This is maybe something for
http://www.ietf.org/id/draft-ietf-v6ops-ipv6-cpe-router-01.txt
?

It currently has

"
8.4. DNS Support (CORE)

For local DNS queries for configuration, the CPE Router may include a
DNS server to handle local queries. Non-local queries can be
forwarded unchanged to a DNS server specified in the DNS server
DHCPv6 option. The local DNS server MAY also handle renumbering from
the Service Provider provided prefix for local names used exclusively
inside the home (the local AAAA and PTR records are updated). This
capability provides connectivity using local DNS names in the home
after a Service Provider renumbering.
"

Which could easily be extended with an recommendation that the local DNS
server should provide authoritative service on the external interface
for any delegated prefixes.

However, this might be considered a security risk by some?

Another nice feature coupled with this might be a "dynamic DNS proxy"
for the forward records, where the RG could forward the AAAA
registration to some external dynamic DNS service. Many CPEs includes
this feature for IPv4, but that is limited to registering a single link
address on the WAN interface. For IPv6 they would need to register the
addresses of any (locally registered) host on the inside.

But I still wonder how the ISP is supposed to know when and where to
delegate the reverse zone. I wouldn't want to just blindly delegate it
and end up having lots of lame delegations around. So I would have to
wait for the RG to answer queries before enabling the DNS delegation.
Which I guess would be at least a few seconds after the DHCP-PD
finished.

Or maybe just enable it blindly first, accepting some lame delegations
for a while, and do a periodical scan to find delegations which should
be disabled? Hmm, I'm going to have about a million of those... Need
to think about this for a while.


Bjørn


bjorn at mork

Aug 31, 2009, 4:42 AM

Post #13 of 23 (3249 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
"S.P.Zeidler" <spz [at] serpens> writes:

> Why would you do anything different from what you would do in the IPv4
> case?

Because we create static A and PTR records for all IPv4 addresses
allocated to residential customers. That does not scale to IPv6.

Yes, it can be discussed whether our IPv4 policy makes sense. It's a
rather strict interpretation of RFC 1912. But that discussion is off
topic for this list, so please don't try :-)

We could of course have replaced the static zones with a script, as
others on this list have done. That would a least scale. But I do
question the usefulness, given that there is no "RFC 1912 for IPv6".

> Just because there are more addresses doesn't mean there are
> necessarily more addresses in use that want reverse, after all.

True. So the problem reduces to finding out which addresses are in use.
That doesn't make it much easier, though...

> I think if you have an answer to that you'll also have your answer
> to what you want/need to do.
>
> Generally, I'd say don't create reverse unless it is requested.

I tend to agree. Providing customer self service scripts on a web
portal, letting those who care either fill in their host names or
request delegations, is probably sufficient. If the customer doesn't
care, then why should I?

I read the http://tools.ietf.org/html/draft-howard-isp-ip6rdns-00 which
Mohsen Souissi pointed to, and it does not recommend transferring the
recommentations of RFC 1912 to IPv6. There should not be any need to
provide a PTR record just for the sake of providing a PTR record.


Bjørn


spz at serpens

Aug 31, 2009, 5:21 AM

Post #14 of 23 (3254 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Hi,

Thus wrote Bjørn Mork (bjorn [at] mork):

> "S.P.Zeidler" <spz [at] serpens> writes:
>
> > Generally, I'd say don't create reverse unless it is requested.
>
> I tend to agree. Providing customer self service scripts on a web
> portal, letting those who care either fill in their host names or
> request delegations, is probably sufficient. If the customer doesn't
> care, then why should I?

It's also the only way to give forward and reverse a chance to match. :)

regards,
spz
--
spz [at] serpens (S.P.Zeidler)


mlm at pixelgate

Aug 31, 2009, 6:24 AM

Post #15 of 23 (3243 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On Mon, 31 Aug 2009, Lionel Elie Mamane wrote:

>>- Delegate the reverse zone to the customer? Most won't have a clue
>> what to do with it.
>
>I can imagine that once IPv6 support has "settled in", that will be
>the standard solution, supported by most residential gateways.

Most of todays "settled in" consumer IPv4 gateways don't know their own name
in any meaninful global DNS terms. Internally most are unnamed, but I've
seen several that disclose the PPPoE username or are plain router or
$routermodel or similarly useless things. Hell, many "managed" routers for
non-trivial clients don't have a useful hostname set.

Perhaps the manufacturers will provide something, but don't expect anything
better than the semi-horrible walldns-like example already suggested
(x20010db800000000021a73fffe502834.example.com), for privacy if not
performance reasons, i.e., some (probably many) people would be freaked if
you suggested that their router publish in some form the (idiotic or too
revealing?) hostnames they have themselves assigned (often unknowingly).

Also some ISPs would want to force the domain, but where is the domain name
delegation to complement the address prefix delegation? Without that the
gateway couldn't properly respond (Mark-PC.local anyone?), for this case,
which means filtering the response (so no longer a direct delegation, and
thus more complex systems).

I expect an ISP provided, predefined generic name for every address in the
entire allocation will predominate for many years, making things like Martin
List-Petersen's pdns pipe very attractive (since it would kill BIND, and
others, to actually populate such a zone). Perhaps using base 32 (or 64)
encoding instead of merely 16, easy as it is to "see" the ip address when
using hex.


dougb at dougbarton

Aug 31, 2009, 10:26 AM

Post #16 of 23 (3239 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Ron Broersma wrote:
>
> On Aug 30, 2009, at 8:42 AM, Seth Mattinen wrote:
>
>> I'm curious as to how everyone is doing PTR records in DNS for their v6
>> hosts. Are you just letting autoconf hosts go without? Do you manually
>> create one once you know what it's autoconf address will be? Or do you
>> use DHCP with a predefined pool that's easy to create a PTR range for?
>
> We wrote a tool that regularly polls the routers, grabs the ARP and ND
> tables (using appropriate snmp MIBs), looks for all the global unicast
> IPv6 addresses in the list, and then using their MAC address we map to
> the associated IPv4 address, then use that to look up the IPv4 PTR
> record in DNS, then use that to build an IPv6 PTR record and use dynamic
> DNS update to update the zone (with various optimizations such as
> caching, garbage collection, etc).

Have you considered open-sourcing such a tool? I'm sure that a lot of
people would find it very valuable.


> That works well for us (dealing
> with thousands of v6 hosts on our net), although there are challenges
> with differences in how each vendor implements the v6 MIBs, and churn
> from those horrible privacy/temporary addresses [RFCs 3041, 4941] that
> that all Microsoft OS's enable by default).

Personally I like my privacy, but I can see how it would be difficult
to deal with. :)


Doug


stig at venaas

Aug 31, 2009, 10:51 AM

Post #17 of 23 (3237 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Mark Milhollan wrote:
> On Mon, 31 Aug 2009, Lionel Elie Mamane wrote:
[...]
> I expect an ISP provided, predefined generic name for every address in the
> entire allocation will predominate for many years, making things like Martin
> List-Petersen's pdns pipe very attractive (since it would kill BIND, and
> others, to actually populate such a zone). Perhaps using base 32 (or 64)
> encoding instead of merely 16, easy as it is to "see" the ip address when
> using hex.

Do you know if anyone has written something like the pdns for BIND? I've
thought about writing something like that using BIND's sdb back-end. It
should be easy but I never got around to it. I might try to implement
one unless it's been done already...

Stig


stig at venaas

Aug 31, 2009, 10:57 AM

Post #18 of 23 (3230 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Bjørn Mork wrote:
[...]
> But I still wonder how the ISP is supposed to know when and where to
> delegate the reverse zone. I wouldn't want to just blindly delegate it
> and end up having lots of lame delegations around. So I would have to
> wait for the RG to answer queries before enabling the DNS delegation.
> Which I guess would be at least a few seconds after the DHCP-PD
> finished.

Would it be useful to have some DHCP option that the RG could use to
request a delegation? It could perhaps be part of the DHCP-PD request.

Stig

> Or maybe just enable it blindly first, accepting some lame delegations
> for a while, and do a periodical scan to find delegations which should
> be disabled? Hmm, I'm going to have about a million of those... Need
> to think about this for a while.
>
>
> Bjørn


ron at spawar

Aug 31, 2009, 11:15 AM

Post #19 of 23 (3235 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
On Aug 31, 2009, at 7:26 AM, Doug Barton wrote:

> Ron Broersma wrote:
>>
>> On Aug 30, 2009, at 8:42 AM, Seth Mattinen wrote:
>>
>>> I'm curious as to how everyone is doing PTR records in DNS for
>>> their v6
>>> hosts. Are you just letting autoconf hosts go without? Do you
>>> manually
>>> create one once you know what it's autoconf address will be? Or do
>>> you
>>> use DHCP with a predefined pool that's easy to create a PTR range
>>> for?
>>
>> We wrote a tool that regularly polls the routers, grabs the ARP and
>> ND
>> tables (using appropriate snmp MIBs), looks for all the global
>> unicast
>> IPv6 addresses in the list, and then using their MAC address we map
>> to
>> the associated IPv4 address, then use that to look up the IPv4 PTR
>> record in DNS, then use that to build an IPv6 PTR record and use
>> dynamic
>> DNS update to update the zone (with various optimizations such as
>> caching, garbage collection, etc).
>
> Have you considered open-sourcing such a tool? I'm sure that a lot of
> people would find it very valuable.

Yes, that is the plan. But we want to first make it a little more
general purpose now that we have all the algorithms worked out, and
clean up the code a bit, and provide various configuration options
depending on site preferences.

>> That works well for us (dealing
>> with thousands of v6 hosts on our net), although there are challenges
>> with differences in how each vendor implements the v6 MIBs, and churn
>> from those horrible privacy/temporary addresses [RFCs 3041, 4941]
>> that
>> that all Microsoft OS's enable by default).
>
> Personally I like my privacy, but I can see how it would be difficult
> to deal with. :)

I understand that many would prefer that level of privacy, but it
creates serious problems for managed enterprise networks where
stability of addresses and forensics capabilities are important. If I
had my way, I'd like to see another bit in the router advertisements
(like the M & O bits) that says "do not use privacy addresses", or
something like that, rather than having to convince all my users and
sys admins to disable it manually on every Windows system.

--Ron
Attachments: smime.p7s (4.82 KB)


dougb at dougbarton

Aug 31, 2009, 11:19 AM

Post #20 of 23 (3247 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Ron Broersma wrote:
>
> On Aug 31, 2009, at 7:26 AM, Doug Barton wrote:
>
>> Ron Broersma wrote:
>>>
>>> On Aug 30, 2009, at 8:42 AM, Seth Mattinen wrote:
>>>
>>>> I'm curious as to how everyone is doing PTR records in DNS for their v6
>>>> hosts. Are you just letting autoconf hosts go without? Do you manually
>>>> create one once you know what it's autoconf address will be? Or do you
>>>> use DHCP with a predefined pool that's easy to create a PTR range for?
>>>
>>> We wrote a tool that regularly polls the routers, grabs the ARP and ND
>>> tables (using appropriate snmp MIBs), looks for all the global unicast
>>> IPv6 addresses in the list, and then using their MAC address we map to
>>> the associated IPv4 address, then use that to look up the IPv4 PTR
>>> record in DNS, then use that to build an IPv6 PTR record and use dynamic
>>> DNS update to update the zone (with various optimizations such as
>>> caching, garbage collection, etc).
>>
>> Have you considered open-sourcing such a tool? I'm sure that a lot of
>> people would find it very valuable.
>
> Yes, that is the plan. But we want to first make it a little more
> general purpose now that we have all the algorithms worked out, and
> clean up the code a bit, and provide various configuration options
> depending on site preferences.

That sounds great! One word of free advice (worth just what you paid
for it of course), err on the side of releasing sooner than later.
Many a useful project has been stuck forever in the loop of "not quite
ready for other people to see yet."

>>> That works well for us (dealing
>>> with thousands of v6 hosts on our net), although there are challenges
>>> with differences in how each vendor implements the v6 MIBs, and churn
>>> from those horrible privacy/temporary addresses [RFCs 3041, 4941] that
>>> that all Microsoft OS's enable by default).
>>
>> Personally I like my privacy, but I can see how it would be difficult
>> to deal with. :)
>
> I understand that many would prefer that level of privacy, but it
> creates serious problems for managed enterprise networks where stability
> of addresses and forensics capabilities are important. If I had my way,
> I'd like to see another bit in the router advertisements (like the M & O
> bits) that says "do not use privacy addresses", or something like that,
> rather than having to convince all my users and sys admins to disable it
> manually on every Windows system.

Not that this is the forum, but if we were going to design something
like that I would prefer a flag that said 'use your "real" address on
the internal network, and a privacy address for the cloud' in the mix
somewhere.


Doug


d at teklibre

Sep 5, 2009, 5:04 PM

Post #21 of 23 (3219 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stig Venaas <stig [at] venaas> writes:

> Mark Milhollan wrote:
>> On Mon, 31 Aug 2009, Lionel Elie Mamane wrote:
> [...]
>> I expect an ISP provided, predefined generic name for every address
>> in the entire allocation will predominate for many years, making
>> things like Martin List-Petersen's pdns pipe very attractive (since
>> it would kill BIND, and others, to actually populate such a zone).
>> Perhaps using base 32 (or 64) encoding instead of merely 16, easy as
>> it is to "see" the ip address when using hex.
>
> Do you know if anyone has written something like the pdns for BIND? I've
> thought about writing something like that using BIND's sdb back-end. It
> should be easy but I never got around to it. I might try to implement
> one unless it's been done already...

I'm not sure why you'd want to populate the entire reverse ip address
space, merely populating the used ipv6 ips with the machines that need
reverse ips should be enough. I just leave the reverses static as the
machines involved are on a dedicated tunnel or a roaming tunnel.

On bind9:

For forward lookups, to dynamically update bind9, what I have done, on a
small scale, is use the nsupdate utility, wrapped in a small script with
tsig.

To create a machine for the first time I:

#mkroam.sh
#!/bin/sh

if [ $# = 1 ]
then
dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n USER $1
else
echo must be a user domain name in the format name.example.org
fi

The resulting public key gets transmorphed (currently by hand) into a
file on the name server called keys.conf.

key dave.roam.example.com. {
algorithm HMAC-MD5;
secret "jvtC/ZRUI24A2BC$218jkH2X2hIi562a1o2/1vzm ljV9fiZjC/JHZds4p 4c5kHTJql32s5BJQuPGIM/1HrnvmsA==";
};

The latest alpha of bind9 (due out next week, I'm told) comes with a
tool that generates keys in the correct format, so you don't have to use
dnssec-keygen for it.

And then the update script on the client pc (fired off a minute after the device
initializes to give it time to acquire addresses)

#!/bin/sh
export SERVER=nsipv6.example.com
export SUBDOMAIN=roam.example.com
if [ $# = 2 ]
then
export USER=$1
export AAAA=$2
nsupdate -d -R /dev/urandom -k /etc/dnskey/K$USER.$SUBDOMAIN.*.private -v <<BBBB
server $SERVER
zone $SUBDOMAIN
update delete $USER.roam.example.com. AAAA
update add $USER.roam.example.com. 600 AAAA $AAAA
show
send
BBBB
else
echo "usage: USER New_AAAA"
fi


The update script could be improved (for example, checking to see if the
dns name was already registered and not doing an update in that case,
registering all or a subset of AAAA addresses based on EUI-64 or not,
etc). I have not got around to trying reverse zone updates.

Will it scale? I don't know. You can do updates via udp, I can't think
of anything much more terse than that.

Is it small enough to fit on a cpe? The nsupdate utility is 51k in size,
but relies on a plethora of libraries to do its job.

The joy in this is that I can actually get my email via good old SMTP,
no matter where I am, as well as have a static ipv6 based dns name, no
matter where I am.

>
> Stig
>

- --
Dave Taht
http://the-edge.blogspot.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iEYEARECAAYFAkqi/J8ACgkQpdejJcOV4uTkOwCfV6K1A8uobM0KJb2Xm/RqPquz
jBoAn1wuSjpiwhDpdKhRq2F1cPClIiDY
=dHR5
-----END PGP SIGNATURE-----


jeroen at unfix

Sep 6, 2009, 3:11 AM

Post #22 of 23 (3210 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Dave Täht wrote:
[..]
> For forward lookups, to dynamically update bind9, what I have done, on a
> small scale, is use the nsupdate utility, wrapped in a small script with
> tsig.

What about simply looking at:
http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Note:
$Id: secure-ddns-howto.html,v 1.65 2002/03/17 22:52:50 jakob Exp $

Exists some while already :)

Windows Edition of the thing:
http://unfix.org/~jeroen/archive/Windows_DynamicDNS_Update.zip

Greets,
Jeroen
Attachments: signature.asc (0.19 KB)


d at teklibre

Sep 6, 2009, 5:52 AM

Post #23 of 23 (3207 views)
Permalink
Re: PTR records for v6 hosts [In reply to]
Jeroen Massar <jeroen [at] unfix> writes:

> Dave Täht wrote:
> [..]
>> For forward lookups, to dynamically update bind9, what I have done, on a
>> small scale, is use the nsupdate utility, wrapped in a small script with
>> tsig.
>
> What about simply looking at:
> http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html
>
> Note:
> $Id: secure-ddns-howto.html,v 1.65 2002/03/17 22:52:50 jakob Exp $
>
> Exists some while already :)

when I looked at google for methods to do this, that url was nowhere
near the top of google, and the existing examples at the top of google
tended to use "example.com" rather than a subdomain like
"roam.example.com".

You suggest "laptop.example.com", but the world of mobile devices is
much larger than that, thus "roam" and "home" were the two dns subzones I
settled on for dynamic updates, and I mostly only use roam.

Incidentally, I just built bind-9.7.0a2 and the name of the new utility
that generates correctly formatted zones and keys is: ddns-confgen

It uses hmac-sha256 by default. (I believe MD5 has issues nowadays)

The howto is otherwise excellent.

Anyway the surrounding context of this discussion is on how to do this
well on cpe equipment, or in an automated fashion at the ISP. I would
like very much to see local (and split, for ipv4) dns name services to
be on the customer premise some day in the future, in more networks.

I'm told one of the design goals of bind10 would be to have it run well
on embedded gear, but looking over it now I don't see bind can get there
from here.

>
> Windows Edition of the thing:
> http://unfix.org/~jeroen/archive/Windows_DynamicDNS_Update.zip
>
> Greets,
> Jeroen
>

--
Dave Taht
http://the-edge.blogspot.com

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.