IPv6 and DNS

Matthew Palmer mpalmer at hezmatt.org
Sun Jun 12 20:16:40 CDT 2011


On Mon, Jun 13, 2011 at 09:56:59AM +1000, Karl Auer wrote:
> On Mon, 2011-06-13 at 01:44 +1000, Matthew Palmer wrote:
> > And I *still* think it's a better idea for the client to be
> > registering itself in DNS; the host knows what domain(s) it should be
> > part of, and hence which names refer to itself and should be updated
> > with it's new address.
> 
> Having tried that, we ended up doing it via DHCP (v4 at the time).
> 
> We only had probably 15-20K hosts trying to register their names, but
> the results were sobering. At a rough estimate, one in a hundred was
> properly configured. We saw obscenities, random strings, thousand-byte
> names, empty names, invalid names, names with a hundred labels, "my name
> is Andrew" - you name it, it came and tried to register itself.

Why were you letting such ill-configured clients register themselves in your
DNS?

> And then there were the clients. Clients that tried as fast as they
> could to register their name dozens of times per second, clients that
> tried to register many names, clients that registered and then
> immediately deregistered their names, clients that never deregistered
> their names at all, clients that tried to register important names like
> "www.ourdomain", clients that had completely broken protocol support...

Ibid.

> So we moved the job to the DHCP server, and most of the problems went
> away. The server got the desired name from the client, could check it
> for some level of sanity and could register it properly. The server
> could also deregister the names when the clients went away, or at least
> at the end of the lease period. Most hosts *did* speak the DHCP protocol
> adequately well. Instead of having to allow open slather, we could allow
> just two hosts to make TSIG-protected updates. The logs became useful
> again.

But if I come to roadwarrior in your network, I'd have to allow updates from
your DHCP server, and your DHCP server would have to be sending those
updates.  Similarly, if your clients go roadwarrioring elsewhere, the same
(or, rather, inverse) configuration would have to be done there.

> So although YMMV, I can highly recommend letting your DHCP servers do
> DDNS instead of letting the clients do it themselves. No doubt it
> depends on a multitude of factors, not least being whether you actually
> use DHCP, but in general, it worked a LOT better for us.

If you've just got a single-location, never-goes-anywhere network and client
list, sure you can just get the DHCP server to do the registration.  But if
you've got that setup, DDNS isn't needed at all -- your set of hosts,
addresses, and names is fixed sufficiently that you can just statically
allocate everything.

- Matt





More information about the NANOG mailing list