A crazy idea

Mark Andrews marka at isc.org
Tue Jul 20 04:57:13 UTC 2021

It is theoretically possible to completely automate reverse DNS provisioning.
It just requires will to do it.  Enterprises have been doing automated reverse
DNS provisioning for decades now using DNS UPDATE requests from DHCP servers
using TSIG or GSS-TSIG.

This method does it as part of prefix delegation and provides support for
cryptographically secure updates by passing the public key as part of the
prefix delegation request.


You could also just allow DNS UPDATE requests over TCP/IPv6 to add/delete NS
and DS records at the /48 level of reverse tree matching the TCP source address.
BIND has supported this for over a decade now as it was developed to provide a
mechanism to populate the 6to4 reverse zone (  It didn’t get
taken up as Geoff Huston decide to go the HTTP route.  I would have the DHCPv6
server delete the records when the prefix delegation expires.


zone 8.B.D. {
	update-policy {
              // limit to 10 NS records and 5 DS records.
              grant * 6to4-self . NS(10) DS(5);
              grant DHCP-SERVER subdomain *;

In both cases the customer populates the delegation and adds DS records as

This is just bolting together existing technologies.

This will not take off unless ISPs buy into the mechanisms.


> On 20 Jul 2021, at 03:01, Bryan Fields <Bryan at bryanfields.net> wrote:
> On 7/19/21 8:09 AM, Stephen Satchell wrote:
>> First, I know this isn't the right place to propose this; need a pointer 
>> to where to propose an outlandish idea.
>> What would the domain names look like?  Let's take my current IP/IPv6 
>> assignments from AT&T:
>>   2600:1700:79b0:ddc0::/64
>> The IPv6 delegation would be easy:
>>> 0.c.d.d.0.b. NS my-DNS-server-1.
>>> 0.c.d.d.0.b. NS my-DNS-server-2.
> Yup, simple, I do this for my customers (and DS records).
> However that reverse zone has DNSSEC on it.  You'd need a DS record to tie
> my-DNS-server-1. to the ATT DNS server and your server would need to support
> DNSSEC.  ATT may want to enforce DNSSEC on that zone, but not want to sign
> stuff they can't control.
> Just playing devils advocate.
> -- 
> Bryan Fields
> 727-409-1194 - Voice
> http://bryanfields.net

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the NANOG mailing list