[ale] Running an IPv6 network: DNS

Michael B. Trausch mike at trausch.us
Fri Jan 21 11:25:28 EST 2011


One thing that I did not think to ask about last night:  DNS on IPv6
networks.  I expect that this is a topic that by itself could be a
presentation, because there are many, many issues involved with it.

For starters:  What is the preferred dæmon for use with IPv6?  I know
that my personal favorite (djbdns) does not support anything having to
do with IPv6 unless you fetch some patches from the Internet, and those
patches are less than stellar in terms of their usability and
robustness, so really the solution for djbdns is to either continue
patching it up, or scrap it entirely.  Because I have less than no time
on my hands, that's not really an option for me.  I know that ISC BIND
supports IPv6 (both records and connections), but it has such an awful
past when it comes to security that I am hesitant to allow it on my
network.  However, it supports other features that are useful (DNSSEC,
various forms of dynamic updates, and so forth), so... should I start
using that again?

There are a few other issues that I can think of:

 * For an IPv4 network, it is conventional (and expected) to provide
   reverse lookups for all addresses.  But in order to do this in an
   IPv6 network would be impractical: the definitions for a single /64
   alone would require 1,180,591,620,717,411,303,424 bits
   (147,573,952,589,676,412,928 _bytes_, or exactly 128 EiB) of storage
   (and that's before even considering the storage for the names).  So,
   it seems that reverse lookups would have to be provided only for
   known systems, and for the rest, the DNS server should be able to
   apply a template of some sort.  Does BIND (or any other freely
   available DNS software, for that matter) support this ability?

 * Likewise, generic names are expected for addresses that aren't used
   for static things.  So some sort of template-driven, fallback name
   should be available for hosts that aren't explicitly defined in the
   zone, just like with reverse lookups.

 * How in the world would such a thing be replicated to slave DNS
   servers?  I do not believe that there is any sort of method to
   replicate anything but actual records in zone transfers and the like.

Another, related issue that has to do with something that was brought up
last night: sequential numbering of IP addresses within an IPv6 network.
I can understand precisely why sequential number is a bad thing from a
network scanning perspective, but one of the major reasons to number
sequentially (other than operating in the mindset of conservation and
lack of significant address space available) is the ability for a human
user to quickly remember addresses and conveniently manage them.  Should
one just keep a list of MAC addresses and rely on stateless
autoconfiguration for servers other than the network edge router?  I
suppose that would be one way of ensuring that the addresses for systems
and the services running on them are well-known in the event of a
complete failure of DNS...

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110121/d37dcf3a/attachment.bin 


More information about the Ale mailing list