Difference between revisions of "IPv6 DNS"

From Secure Computing Wiki
Jump to: navigation, search
(Reverse Resolution)
Line 59: Line 59:
 
</pre>
 
</pre>
 
*<i>Note: The ... lines above simply indicate that there are more records before, and more records after.  This is simply an excerpt from our configuration file to give you an idea as to your format.</i>
 
*<i>Note: The ... lines above simply indicate that there are more records before, and more records after.  This is simply an excerpt from our configuration file to give you an idea as to your format.</i>
 +
</li><li>
 +
At this point, you should be able to save, restart your BIND9 server, and, provided reverse DNS has been delegated to your servers, resolve your reverse DNS.  There is much more to learn about reverse DNS, such as '''$GENERATE''' records, but I don't even know how to do that, yet.  Trust me, it's coming soon!  I'm not about to manually type 2+ Billion entries in my zone file!
 
</li>
 
</li>
 +
</ol>

Revision as of 20:22, 17 July 2007

This document assumes you already understand IPv4 DNS configuration. This page will discuss implementation of BIND9 and IPv6 for Domain Name Resolution. If you'd like to contribute, please let me know, and we'll get you an account. I only use BIND, but I'm sure others use the other options out there.

Forward Resolution

Forward DNS resolution with IPv6 isn't any different from IPv4, apart from the record type in your zone configuration file. We aren't going to discuss full DNS configuration, as we're assuming understanding of the BIND9 configuration of at least IPv4 forward resolution.

To create an IPv6 forward resolution record, use record type AAAA. If you've been browsing around the internet, you've probably seen mention of A6 records. These have been deprecated in favor of a standard of AAAA records.

Here is the IPv6 record for www.secure-computing.net:

www                     IN AAAA         2001:4980:1:111::150

It's really as simple as that!

Reverse Resolution

Overview

Reverse DNS resolution is a little different animal from IPv4. There's a new provision for delegation of reverse DNS, due to the HUGE number of IP addresses a single network is allocated 18,446,744,073,709,551,615 IP addresses. I'm not sure about your needs, but that's more than I'm, personally, going to need. To put that in perspective, that is 18 quitrillion, 446 quadrillion, 774 trillion, 73 billion, 709 million, 551 thousand, 615 IP addresses. That, for one single network, is actually enough IPs for every person in the world to have 2,837,960,626. Hrm, two BILLION addresses each. That's a lot. For the record, a /64 in IPv6 is the smallest allocation of IP addresses per the protocol. That's quite a few for your ISP to worry about if you want proper reverse DNS.

All of that being said, your ISP is probably more than willing to delegate reverse DNS to your servers. IPv6 delegates based on nibbles. Without getting into too much detail, let's break it down a bit.

Brief IP Explanation

With reverse DNS, IPs are written in reverse order, so 209.240.66.150 is 150.66.240.209.in-addr.arpa. In this case, things are broken up by the octet, or by each . in the address. With IPv6, things are broken up into each byte. This means an IP address of 2001:4980:1:111::150 is expanded and written out as: 0.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2. There's a distinct difference here, between version 4 and version 6. With version 4, you can only delegate reverse DNS by the class C block, and it's delegated by ARIN (or whomever your local authority is). With IPv6, I can delegate a single IP's reverse DNS. AKA nibble.  :)

Dirty Work

We're going to build the secure-computing.net reverse DNS file, and I'll do my best to explain as we go.

  1. First, you need to put all the file header information that exists in an IPv4 file, such as ORIGIN, TTL, and other timeouts. The $ORIGIN portion should be the part of your IPv6 block that describes your network. If you've been assigned a /64, it will be the first 16 numbers, expanded, of your entire IPv6 address. Secure Computing Networks has been assigned 2001:4980:1:0111/64, so our $ORIGIN will be 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa. Note that .ip6.arpa is appended to the end of all IPv6 reverse IPs:
    $ORIGIN 1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
    $TTL    86400
    
    @       IN      SOA pri-ns.secure-computing.net. domain-services.secure-computing.net.  (
                                    2007070501      ; Serial
                                    3600    ; Refresh
                                    3600    ; Retry
                                    1209600 ; Expire
                                    7200 )  ; Minimum TTL
    
  2. Next, I add a few comments so that, as I'm typing, I can remember my IP block and $ORIGIN:

    
    ; 2001:4980:1:111::/64
    ;  1.1.1.0.1.0.0.0.0.8.9.4.1.0.0.2.ip6.arpa.
    
    
  3. At this point, we can start adding our static reverse definitions. These should be in the same nibble format we've already been discussing. Similar to IPv4, you'll use the PTR record type, followed by your host name. REMEMBER to add the trailing period to the end of your host name, or it WILL NOT work!

    ...
    4.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     core.ip6.secure-computing.net.
    5.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     ghost.ip6.secure-computing.net.
    6.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     gimp.ip6.secure-computing.net.
    7.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     chunk.ip6.secure-computing.net.
    8.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     snort.ip6.secure-computing.net.
    ...
    
    • Note: The ... lines above simply indicate that there are more records before, and more records after. This is simply an excerpt from our configuration file to give you an idea as to your format.
  4. At this point, you should be able to save, restart your BIND9 server, and, provided reverse DNS has been delegated to your servers, resolve your reverse DNS. There is much more to learn about reverse DNS, such as $GENERATE records, but I don't even know how to do that, yet. Trust me, it's coming soon! I'm not about to manually type 2+ Billion entries in my zone file!