reverse dns for IPV6 ranges

[hugo hugoo]

Dear all,

Can anyone help me with  its experience on reverse dns for IPV6?
Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet.
It is a lot of PTR's but perfectly manageable.

With IPV6,  the number of IP's that we will receive is amazing....
So...it seems impossible for every single IPV6 inthe range to configure a PTR.

So...what to do?
What is the common practice?
What is possible with BIND?

Thanks in advance for your answer.

[Spain, Dr. Jeffry A.]

For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our ISP. I included PTR records only for those hosts accessible from the outside. Internal DNS is Windows Active Directory integrated. Here's a sample from the zone file, which contains about 25 PTR records in all:

$ORIGIN .
$TTL 3600 ; 1 hour
a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. hostmaster.countryday.net. (
2012030101 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
NS ns1.countryday.net.
NS ns2.countryday.net.
$ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net.
$ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net.

I would also be interested in hearing about the practices of others. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

[Mark Andrews]

In message <DUB109-W57AA00705...@phx.gbl>, hugo hugoo writes:
>
> Dear all,

>
> Can anyone help me with its experience on reverse dns for IPV6?

> Presently, when we reverse an IPV4 subnet for clients, we configure all=

> the reverse for the whole subnet.
> It is a lot of PTR's but perfectly manageable.
>
> With IPV6, the number of IP's that we will receive is amazing....

> So...it seems impossible for every single IPV6 inthe range to configure a P=

> TR.
>
> So...what to do?
> What is the common practice?
> What is possible with BIND?
>

> Thanks in advance for your answer.

Let the machines register their own PTR record using TCP as the authenticator.

update-poliy {
grant . tcp-self * PTR;
};

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[hugo hugoo]

thanks for your comment.

But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours.
IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution.

> From: spa...@countryday.net
> To: hug...@hotmail.com
> CC: bind-...@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
> Date: Mon, 5 Mar 2012 21:15:53 +0000
>
> > Can anyone help me with  its experience on reverse dns for IPV6?

> > Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet.

> > It is a lot of PTR's but perfectly manageable.
> > With IPV6,  the number of IP's that we will receive is amazing....

> > So...it seems impossible for every single IPV6 inthe range to configure a PTR.

> > So...what to do?
> > What is the common practice?
> > What is possible with BIND?
>

[Mark Andrews]

In message <1330991057.3861.10.camel@tardis>, Noel Butler writes:
>
> > In message <DUB109-W57AA00705...@phx.gbl>, hugo hugoo writ
> es:
> > >
> > > Dear all,
> > >

> > > Can anyone help me with its experience on reverse dns for IPV6?
> > > Presently, when we reverse an IPV4 subnet for clients, we configure all

> =

> > > the reverse for the whole subnet.
> > > It is a lot of PTR's but perfectly manageable.
> > >
> > > With IPV6, the number of IP's that we will receive is amazing....
> > > So...it seems impossible for every single IPV6 inthe range to configure
> > > a PTR.
> > >
> > > So...what to do?
> > > What is the common practice?
> > > What is possible with BIND?
> > >

> > > Thanks in advance for your answer.
> >
> > Let the machines register their own PTR record using TCP as the authentic
> ator.
> >
> > update-poliy {
> > grant . tcp-self * PTR;
> > };
>

> Thats dangerous 14m1337.u.suck.hax0r.org - yeah, it would be
> highly abused and why most ISP's don't do/allow it :)

And is a baseless fear as it can be tracked back to the customer
involved or does the ISP permit customers to spoof each other or
permit the public to spoof its customers? This isn't wide open
UPDATE. Its 1.2.3.4 can update 4.3.2.1.IN-ADDR.ARPA/PTR and only
4.3.2.1.IN-ADDR.ARPA/PTR if the update request comes over TCP.

> But for a small company that has trustworthy staff, maybe, but then mail
> servers will start rejecting some of them trying to send directly
> because theres likely no matching A record.

The machine adds its own A / AAAA records using TSIG. These can then
be updated as it moves around the world.

[Spain, Dr. Jeffry A.]

> But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours.
> IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution.

In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses never change. If you are going to register PTR records for clients with changeable IPv6 addresses, then you need a dynamic update mechanism. Mark Andrews made a recommendation earlier in this regard. I don't think there is any reason to have PTR records that have no corresponding AAAA records in the forward lookup zone. That would be computationally infeasible anyway. Jeff.

[Matus UHLAR - fantomas]

On 05.03.12 22:19, hugo hugoo wrote:
>But if only some IP have e reverse..what about the other server who
>have received an IP in the range? Ip that can be changed every x
>hours. IF no reverse, it can be blacklisted for some reasons or
>having some problems with services asking a reverse dns resolution.

Working with reverse DNS and blacklist records in the IPv6 is something
very different from IPv4. Each end user will get mote IPs than whole
IPv4 internet has, and it's easy to

while you _can_ set up IPv6 reverse DNS records, you should not think
of them same way as you did in IPv4.

SpamHaus has some recommendations related to IPv6 in order to avoid
overhauling DNS when abusive client changes IPs to abuse servers.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

[hugo hugoo]

HEllo,

Has anyone else experience with reverse IPV6 configuration with Bind?

Regards,

Hugo,

> From: spa...@countryday.net
> To: hug...@hotmail.com
> CC: bind-...@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges

> Date: Tue, 6 Mar 2012 03:09:42 +0000
>
> > But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours.
> > IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution.
>

[Jay Ford]

On Mon, 12 Mar 2012, hugo hugoo wrote:
> Has anyone else experience with reverse IPV6 configuration with Bind?

We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa
zones, to create address->name mappings matching the name->address mappings
created by the AAAA & A records.

I fairly recently started fiddling with wildcard PTR records for DHCPv6
address pools, to at least return some answer for a query about the
addresses. Right now I have it configured so that a query for any address in
any of the pools returns the same name, but it could be changed to return
different names for different pools. This obviously doesn't create symmetric
name->address & address->name mapping, which might or might not be a problem.
I don't have enough real use of this to know whether this wildcard stuff is
helpful or not.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-...@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951

[hugo hugoo]

Jay,
 
- Can you give me an example of such configuration?
 
 

As anyone else some examples of IPV6 reverse configuration used in production environment?
 
Thanks for sharing your experience...
 
Hugo,
 

> Date: Mon, 12 Mar 2012 16:28:53 -0500
> From: jay-...@uiowa.edu

> To: hug...@hotmail.com
> CC: bind-...@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
>

[Peter Andreev]

2012/3/19 hugo hugoo <hug...@hotmail.com>

Jay,
 
- Can you give me an example of such configuration?
 
 

As anyone else some examples of IPV6 reverse configuration used in production environment?
 
Thanks for sharing your experience...
 
Hugo,

We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about "arpaname" utility. Since that maintaining reverse IPv6 zones is just a piece of cake.

 

> Date: Mon, 12 Mar 2012 16:28:53 -0500
> From: jay-...@uiowa.edu

> To: hug...@hotmail.com
> CC: bind-...@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
>

> On Mon, 12 Mar 2012, hugo hugoo wrote:
> > Has anyone else experience with reverse IPV6 configuration with Bind?
>
> We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa
> zones, to create address->name mappings matching the name->address mappings
> created by the AAAA & A records.
>
> I fairly recently started fiddling with wildcard PTR records for DHCPv6
> address pools, to at least return some answer for a query about the
> addresses. Right now I have it configured so that a query for any address in
> any of the pools returns the same name, but it could be changed to return
> different names for different pools. This obviously doesn't create symmetric
> name->address & address->name mapping, which might or might not be a problem.
> I don't have enough real use of this to know whether this wildcard stuff is
> helpful or not.
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-...@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
AP

[michoski]

On 3/19/12 11:58 AM, "Peter Andreev" <andree...@gmail.com> wrote:
> 2012/3/19 hugo hugoo <hug...@hotmail.com>
>> Jay,
>>
>> - Can you give me an example of such configuration?
>>
>> As anyone else some examples of IPV6 reverse configuration used in
>> production environment?
>>
>> Thanks for sharing your experience...
>

> We use IPv6 in production environment. It was a real headache to fill
> reverse ip6.arpa zones by hand until I have learned about "arpaname"
> utility. Since that maintaining reverse IPv6 zones is just a piece of cake.

Hmm... Yes, well I can see this as useful (though not much more than a few
lines of any programming language?) if you intend to maintain generic
placeholders...but not if you want RFC-compliant matching A/PTR. Granted,
you should not drop mail in such cases, but many do. I guess tools and best
practices take time to catch up to technological leaps. ;-)

Or do you actually create A's matching your generic PTR and heavily rely on
CNAMEs? Of course that simply won't do for some standard RR types.

As much as I dislike djb in general, the way tinydns auto-creates matching
PTR (and also provides a mechanism to disable as needed) for each A RR kinda
makes sense. Granted, it doesn't do IPv6 at all without 3rd-party
hacks...but they do at least exist.

--
All his life he has looked away... to the horizon, to the sky,
to the future. Never his mind on where he was, on what he was doing.
-- Yoda

[Jay Ford]

On Mon, 19 Mar 2012, hugo hugoo <hug...@hotmail.com> wrote:
> Jay,
>
> - Can you give me an example of such configuration?

Sure.

Say I use a DHCP pool of </64_prefix>:a123:b456::/96 within each /64 subnet.

For example:
subnet DHCP pool
_________________ ___________________________
2001:db8:0:a::/64 2001:db8:0:a:a123:b456::/96
2001:db8:0:b::/64 2001:db8:0:b:a123:b456::/96
2001:db8:0:c::/64 2001:db8:0:c:a123:b456::/96

Then you put this in every /64 subnet zone:
;____________________________________________________________
*.6.5.4.b.3.2.1.a IN PTR dhcpv6.whatever.edu.
;____________________________________________________________

so that PTR queries for addresses like:
2001:db8:0:a:a123:b456::4
2001:db8:0:b:a123:b456:1:2
2001:db8:0:c:a123:b456:abc:def
all return "dhcpv6.whatever.edu".

To make that less tedious, I create a file called "dhcpv6.ptr.inc" like this:

;____________________________________________________________
; dhcpv6.ptr.inc
; include file defining wildcard PTR record for DHCPv6 pools
$TTL 86400
@ IN PTR dhcpv6.whatever.edu.
;____________________________________________________________

Each subnet zone file (e.g., zone a.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
for subnet 2001:db8:0:a::/64) pulls in that file via:

;____________________________________________________________
$INCLUDE dhcpv6.ptr.inc *.6.5.4.b.3.2.1.a
;____________________________________________________________

That way if I want to change the name in the PTR record I edit 1 file instead
of every zone file.

[Peter Andreev]

2012/3/20 michoski <mich...@cisco.com>

On 3/19/12 11:58 AM, "Peter Andreev" <andree...@gmail.com> wrote:
> 2012/3/19 hugo hugoo <hug...@hotmail.com>

>>  Jay,
>>
>> - Can you give me an example of such configuration?
>>

>> As anyone else some examples of IPV6 reverse configuration used in
>> production environment?
>>
>> Thanks for sharing your experience...
>

> We use IPv6 in production environment. It was a real headache to fill
> reverse ip6.arpa zones by hand until I have learned about "arpaname"
> utility. Since that maintaining reverse IPv6 zones is just a piece of cake.

Hmm...  Yes, well I can see this as useful (though not much more than a few
lines of any programming language?) if you intend to maintain generic
placeholders...but not if you want RFC-compliant matching A/PTR.  Granted,
you should not drop mail in such cases, but many do.  I guess tools and best
practices take time to catch up to technological leaps.  ;-)

Or do you actually create A's matching your generic PTR and heavily rely on
CNAMEs?  Of course that simply won't do for some standard RR types.

As much as I dislike djb in general, the way tinydns auto-creates matching
PTR (and also provides a mechanism to disable as needed) for each A RR kinda
makes sense.  Granted, it doesn't do IPv6 at all without 3rd-party
hacks...but they do at least exist.

--
All his life he has looked away... to the horizon, to the sky,
to the future.  Never his mind on where he was, on what he was doing.
       -- Yoda

Sorry for my stupidity, but I didn't catch your idea.

We have finite number of hardware. Due to geographic distribution, security issues, lots of different prefixes in use, etc we don't use DHCP and assign addresses by hand. So we do with PTRs. Of course I would go crazy if I fill full v6 reverse zone, so I write only those PTRs which are needed.
If we assign IP blocks to clients, usually we simply delegate them corresponding reverse zone.

--
AP