[ale] Running an IPv6 network: DNS

Johnny Preyer jpreyer at gmail.com
Fri Jan 21 17:42:45 EST 2011


On 1/21/11, Michael B. Trausch <mike at trausch.us> wrote:
> One thing that I did not think to ask about last night:  DNS on IPv6
> networks.  I expect that this is a topic that by itself could be a
> presentation, because there are many, many issues involved with it.
>
> For starters:  What is the preferred dæmon for use with IPv6?  I know
> that my personal favorite (djbdns) does not support anything having to
> do with IPv6 unless you fetch some patches from the Internet, and those
> patches are less than stellar in terms of their usability and
> robustness, so really the solution for djbdns is to either continue
> patching it up, or scrap it entirely.  Because I have less than no time
> on my hands, that's not really an option for me.  I know that ISC BIND
> supports IPv6 (both records and connections), but it has such an awful
> past when it comes to security that I am hesitant to allow it on my
> network.  However, it supports other features that are useful (DNSSEC,
> various forms of dynamic updates, and so forth), so... should I start
> using that again?
>
> There are a few other issues that I can think of:
>
>  * For an IPv4 network, it is conventional (and expected) to provide
>    reverse lookups for all addresses.  But in order to do this in an
>    IPv6 network would be impractical: the definitions for a single /64
>    alone would require 1,180,591,620,717,411,303,424 bits
>    (147,573,952,589,676,412,928 _bytes_, or exactly 128 EiB) of storage
>    (and that's before even considering the storage for the names).  So,
>    it seems that reverse lookups would have to be provided only for
>    known systems, and for the rest, the DNS server should be able to
>    apply a template of some sort.  Does BIND (or any other freely
>    available DNS software, for that matter) support this ability?
>
>  * Likewise, generic names are expected for addresses that aren't used
>    for static things.  So some sort of template-driven, fallback name
>    should be available for hosts that aren't explicitly defined in the
>    zone, just like with reverse lookups.
>
>  * How in the world would such a thing be replicated to slave DNS
>    servers?  I do not believe that there is any sort of method to
>    replicate anything but actual records in zone transfers and the like.
>
> Another, related issue that has to do with something that was brought up
> last night: sequential numbering of IP addresses within an IPv6 network.
> I can understand precisely why sequential number is a bad thing from a
> network scanning perspective, but one of the major reasons to number
> sequentially (other than operating in the mindset of conservation and
> lack of significant address space available) is the ability for a human
> user to quickly remember addresses and conveniently manage them.  Should
> one just keep a list of MAC addresses and rely on stateless
> autoconfiguration for servers other than the network edge router?  I
> suppose that would be one way of ensuring that the addresses for systems
> and the services running on them are well-known in the event of a
> complete failure of DNS...
>
> 	--- Mike
>

-- 
Sent from my mobile device



More information about the Ale mailing list