From Secure Computing Wiki
Revision as of 20:08, 17 July 2007 by Ecrist (Talk | contribs) (Reverse Resolution)

Jump to: navigation, search

This document assumes you already understand IPv4 DNS configuration. This page will discuss implementation of BIND9 and IPv6 for Domain Name Resolution. If you'd like to contribute, please let me know, and we'll get you an account. I only use BIND, but I'm sure others use the other options out there.

Forward Resolution

Forward DNS resolution with IPv6 isn't any different from IPv4, apart from the record type in your zone configuration file. We aren't going to discuss full DNS configuration, as we're assuming understanding of the BIND9 configuration of at least IPv4 forward resolution.

To create an IPv6 forward resolution record, use record type AAAA. If you've been browsing around the internet, you've probably seen mention of A6 records. These have been deprecated in favor of a standard of AAAA records.

Here is the IPv6 record for www.secure-computing.net:

www                     IN AAAA         2001:4980:1:111::150

It's really as simple as that!

Reverse Resolution


Reverse DNS resolution is a little different animal from IPv4. There's a new provision for delegation of reverse DNS, due to the HUGE number of IP addresses a single network is allocated 18,446,744,073,709,551,615 IP addresses. I'm not sure about your needs, but that's more than I'm, personally, going to need. To put that in perspective, that is 18 quitrillion, 446 quadrillion, 774 trillion, 73 billion, 709 million, 551 thousand, 615 IP addresses. That, for one single network, is actually enough IPs for every person in the world to have 2,837,960,626. Hrm, two BILLION addresses each. That's a lot. For the record, a /64 in IPv6 is the smallest allocation of IP addresses per the protocol. That's quite a few for your ISP to worry about if you want proper reverse DNS.

All of that being said, your ISP is probably more than willing to delegate reverse DNS to your servers. IPv6 delegates based on nibbles. Without getting into too much detail, let's break it down a bit.

Brief IP Explanation

With reverse DNS, IPs are written in reverse order, so is In this case, things are broken up by the octet, or by each . in the address. With IPv6, things are broken up into each byte. This means an IP address of 2001:4980:1:111::150 is expanded and written out as: There's a distinct difference here, between version 4 and version 6. With version 4, you can only delegate reverse DNS by the class C block, and it's delegated by ARIN (or whomever your local authority is). With IPv6, I can delegate a single IP's reverse DNS. AKA nibble.  :)

Dirty Work

We're going to build the secure-computing.net reverse DNS file, and I'll do my best to explain as we go.

  1. First, you need to put all the file header information that exists in an IPv4 file, such as ORIGIN, TTL, and other timeouts:
    $TTL    86400
    @       IN      SOA pri-ns.secure-computing.net. domain-services.secure-computing.net.  (
                                    2007070501      ; Serial
                                    3600    ; Refresh
                                    3600    ; Retry
                                    1209600 ; Expire
                                    7200 )  ; Minimum TTL