[Nanog] Re: IPv6 rDNS - how will it be done?
Mark Scholten
mark at streamservice.nl
Wed Apr 28 07:31:25 UTC 2010
> -----Original Message-----
> From: David Conrad [mailto:drc at virtualized.org]
> Sent: Wednesday, April 28, 2010 3:01 AM
> To: Jason 'XenoPhage' Frisvold
> Cc: nanog at nanog.org
> Subject: Re: [Nanog] Re: IPv6 rDNS - how will it be done?
>
> On Apr 27, 2010, at 5:47 PM, Jason 'XenoPhage' Frisvold wrote:
> > On Apr 27, 2010, at 8:42 PM, Mark Andrews wrote:
> >> Windows will just populate the reverse zone as needed, if you let
> >> it, using dynamic update. If you have properly deployed BCP 39
> >> and have anti-spoofing ingres filtering then you can just let any
> >> address from the /48 add/remove PTR records. Other OS's will
> >> follow suite.
> >
> > Is DDNS really considered to be the end-all answer for this?
>
> Seems it is that or not bothering with reverse anymore.
>
> > It seems we're putting an awful lot of trust in the user when doing
> this.. I'd rather see some sort of macro expansion in bind/tinydns/etc
> that would allow a range of addresses to be added.
>
> Hmm. A macro expansion for a /48 would mean
> 1,208,925,819,614,629,174,706,176 leaves. An interesting stress test
> for name servers... :-).
With LUA scripting and PowerDNS you could create a reverse DNS/forward DNS
based on the input and match it (IP or hostname). This could be really
dynamic and with using some cache it should also be fast. Checking what IPv6
address is in use and providing them a rDNS is also an option of course (but
I think that will consume more power/bandwith/etc. on the long term).
>
> Slightly more seriously, there have been discussions in the past about
> doing dynamic synthesis of v6 reverses, but that gets icky
> (particularly if you invoke the dreaded "DNSSEC" curse) and I don't
> know any production server that actually does this now. Dynamic DNS is
> probably the least offensive solution if you really want reverses for
> your v6 nodes.
As long as you don't use DNSSEC the option above is possible, but with
DNSSEC many options will fail I think. Completely dynamic based on the
request of a client isn't an option if you ask me (or do we want .local
addresses in the rDNS?).
>
> Regards,
> -drc
>
More information about the NANOG
mailing list