Re: reverse dns for IPV6 ranges
2012/3/20 michoski > On 3/19/12 11:58 AM, "Peter Andreev" wrote: > > 2012/3/19 hugo hugoo > >> Jay, > >> > >> - Can you give me an example of such configuration? > >> > >> As anyone else some examples of IPV6 reverse configuration used in > >> production environment? > >> > >> Thanks for sharing your experience... > > > > We use IPv6 in production environment. It was a real headache to fill > > reverse ip6.arpa zones by hand until I have learned about "arpaname" > > utility. Since that maintaining reverse IPv6 zones is just a piece of > cake. > > Hmm... Yes, well I can see this as useful (though not much more than a few > lines of any programming language?) if you intend to maintain generic > placeholders...but not if you want RFC-compliant matching A/PTR. Granted, > you should not drop mail in such cases, but many do. I guess tools and > best > practices take time to catch up to technological leaps. ;-) > > Or do you actually create A's matching your generic PTR and heavily rely on > CNAMEs? Of course that simply won't do for some standard RR types. > > As much as I dislike djb in general, the way tinydns auto-creates matching > PTR (and also provides a mechanism to disable as needed) for each A RR > kinda > makes sense. Granted, it doesn't do IPv6 at all without 3rd-party > hacks...but they do at least exist. > > -- > All his life he has looked away... to the horizon, to the sky, > to the future. Never his mind on where he was, on what he was doing. >-- Yoda > > Sorry for my stupidity, but I didn't catch your idea. We have finite number of hardware. Due to geographic distribution, security issues, lots of different prefixes in use, etc we don't use DHCP and assign addresses by hand. So we do with PTRs. Of course I would go crazy if I fill full v6 reverse zone, so I write only those PTRs which are needed. If we assign IP blocks to clients, usually we simply delegate them corresponding reverse zone. -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On Mon, 19 Mar 2012, hugo hugoo wrote: Jay, - Can you give me an example of such configuration? Sure. Say I use a DHCP pool of :a123:b456::/96 within each /64 subnet. For example: subnet DHCP pool _ ___ 2001:db8:0:a::/64 2001:db8:0:a:a123:b456::/96 2001:db8:0:b::/64 2001:db8:0:b:a123:b456::/96 2001:db8:0:c::/64 2001:db8:0:c:a123:b456::/96 Then you put this in every /64 subnet zone: ; *.6.5.4.b.3.2.1.a IN PTR dhcpv6.whatever.edu. ; so that PTR queries for addresses like: 2001:db8:0:a:a123:b456::4 2001:db8:0:b:a123:b456:1:2 2001:db8:0:c:a123:b456:abc:def all return "dhcpv6.whatever.edu". To make that less tedious, I create a file called "dhcpv6.ptr.inc" like this: ; ; dhcpv6.ptr.inc ; include file defining wildcard PTR record for DHCPv6 pools $TTL 86400 @ IN PTR dhcpv6.whatever.edu. ; Each subnet zone file (e.g., zone a.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa for subnet 2001:db8:0:a::/64) pulls in that file via: ; $INCLUDE dhcpv6.ptr.inc *.6.5.4.b.3.2.1.a ; That way if I want to change the name in the PTR record I edit 1 file instead of every zone file. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On 3/19/12 11:58 AM, "Peter Andreev" wrote: > 2012/3/19 hugo hugoo >> Jay, >> >> - Can you give me an example of such configuration? >> >> As anyone else some examples of IPV6 reverse configuration used in >> production environment? >> >> Thanks for sharing your experience... > > We use IPv6 in production environment. It was a real headache to fill > reverse ip6.arpa zones by hand until I have learned about "arpaname" > utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Hmm... Yes, well I can see this as useful (though not much more than a few lines of any programming language?) if you intend to maintain generic placeholders...but not if you want RFC-compliant matching A/PTR. Granted, you should not drop mail in such cases, but many do. I guess tools and best practices take time to catch up to technological leaps. ;-) Or do you actually create A's matching your generic PTR and heavily rely on CNAMEs? Of course that simply won't do for some standard RR types. As much as I dislike djb in general, the way tinydns auto-creates matching PTR (and also provides a mechanism to disable as needed) for each A RR kinda makes sense. Granted, it doesn't do IPv6 at all without 3rd-party hacks...but they do at least exist. -- All his life he has looked away... to the horizon, to the sky, to the future. Never his mind on where he was, on what he was doing. -- Yoda ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
2012/3/19 hugo hugoo > Jay, > > - Can you give me an example of such configuration? > > > > As anyone else some examples of IPV6 reverse configuration used in > production environment? > > Thanks for sharing your experience... > > Hugo, > We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about "arpaname" utility. Since that maintaining reverse IPv6 zones is just a piece of cake. > > Date: Mon, 12 Mar 2012 16:28:53 -0500 > > From: jay-f...@uiowa.edu > > > To: hugo...@hotmail.com > > CC: bind-users@lists.isc.org > > Subject: RE: reverse dns for IPV6 ranges > > > > On Mon, 12 Mar 2012, hugo hugoo wrote: > > > Has anyone else experience with reverse IPV6 configuration with Bind? > > > > We do static PTR records in the ip6.arpa zones like we do in the > in-addr.arpa > > zones, to create address->name mappings matching the name->address > mappings > > created by the & A records. > > > > I fairly recently started fiddling with wildcard PTR records for DHCPv6 > > address pools, to at least return some answer for a query about the > > addresses. Right now I have it configured so that a query for any > address in > > any of the pools returns the same name, but it could be changed to > return > > different names for different pools. This obviously doesn't create > symmetric > > name->address & address->name mapping, which might or might not be a > problem. > > I don't have enough real use of this to know whether this wildcard stuff > is > > helpful or not. > > > > > > Jay Ford, Network Engineering Group, Information Technology Services > > University of Iowa, Iowa City, IA 52242 > > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... Hugo, > Date: Mon, 12 Mar 2012 16:28:53 -0500 > From: jay-f...@uiowa.edu > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > > On Mon, 12 Mar 2012, hugo hugoo wrote: > > Has anyone else experience with reverse IPV6 configuration with Bind? > > We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa > zones, to create address->name mappings matching the name->address mappings > created by the & A records. > > I fairly recently started fiddling with wildcard PTR records for DHCPv6 > address pools, to at least return some answer for a query about the > addresses. Right now I have it configured so that a query for any address in > any of the pools returns the same name, but it could be changed to return > different names for different pools. This obviously doesn't create symmetric > name->address & address->name mapping, which might or might not be a problem. > I don't have enough real use of this to know whether this wildcard stuff is > helpful or not. > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address->name mappings matching the name->address mappings created by the & A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name->address & address->name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
HEllo, Has anyone else experience with reverse IPV6 configuration with Bind? Regards, Hugo, > From: spa...@countryday.net > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > Date: Tue, 6 Mar 2012 03:09:42 + > > > But if only some IP have e reverse..what about the other server who have > > received an IP in the range? Ip that can be changed every x hours. > > IF no reverse, it can be blacklisted for some reasons or having some > > problems with services asking a reverse dns resolution. > > In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses > never change. If you are going to register PTR records for clients with > changeable IPv6 addresses, then you need a dynamic update mechanism. Mark > Andrews made a recommendation earlier in this regard. I don't think there is > any reason to have PTR records that have no corresponding records in the > forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On 05.03.12 22:19, hugo hugoo wrote: But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. Working with reverse DNS and blacklist records in the IPv6 is something very different from IPv4. Each end user will get mote IPs than whole IPv4 internet has, and it's easy to while you _can_ set up IPv6 reverse DNS records, you should not think of them same way as you did in IPv4. SpamHaus has some recommendations related to IPv6 in order to avoid overhauling DNS when abusive client changes IPs to abuse servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
> But if only some IP have e reverse..what about the other server who have > received an IP in the range? Ip that can be changed every x hours. > IF no reverse, it can be blacklisted for some reasons or having some problems > with services asking a reverse dns resolution. In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses never change. If you are going to register PTR records for clients with changeable IPv6 addresses, then you need a dynamic update mechanism. Mark Andrews made a recommendation earlier in this regard. I don't think there is any reason to have PTR records that have no corresponding records in the forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
In message <1330991057.3861.10.camel@tardis>, Noel Butler writes: > > > In message , hugo hugoo writ > es: > > > > > > Dear all, > > > > > > Can anyone help me with its experience on reverse dns for IPV6? > > > Presently, when we reverse an IPV4 subnet for clients, we configure all > = > > > the reverse for the whole subnet. > > > It is a lot of PTR's but perfectly manageable. > > > > > > With IPV6, the number of IP's that we will receive is amazing > > > So...it seems impossible for every single IPV6 inthe range to configure > > > a PTR. > > > > > > So...what to do? > > > What is the common practice? > > > What is possible with BIND? > > > > > > Thanks in advance for your answer. > > > > Let the machines register their own PTR record using TCP as the authentic > ator. > > > > update-poliy { > > grant . tcp-self * PTR; > > }; > > Thats dangerous 14m1337.u.suck.hax0r.org -yeah, it would be > highly abused and why most ISP's don't do/allow it :) And is a baseless fear as it can be tracked back to the customer involved or does the ISP permit customers to spoof each other or permit the public to spoof its customers? This isn't wide open UPDATE. Its 1.2.3.4 can update 4.3.2.1.IN-ADDR.ARPA/PTR and only 4.3.2.1.IN-ADDR.ARPA/PTR if the update request comes over TCP. > But for a small company that has trustworthy staff, maybe, but then mail > servers will start rejecting some of them trying to send directly > because theres likely no matching A record. The machine adds its own A / records using TSIG. These can then be updated as it moves around the world. > > Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On Tue, 2012-03-06 at 08:23 +1100, Mark Andrews wrote: > In message , hugo hugoo writes: > > > > Dear all, > > > > Can anyone help me with its experience on reverse dns for IPV6? > > Presently, when we reverse an IPV4 subnet for clients, we configure all= > > the reverse for the whole subnet. > > It is a lot of PTR's but perfectly manageable. > > > > With IPV6, the number of IP's that we will receive is amazing > > So...it seems impossible for every single IPV6 inthe range to configure a P= > > TR. > > > > So...what to do? > > What is the common practice? > > What is possible with BIND? > > > > Thanks in advance for your answer. > > Let the machines register their own PTR record using TCP as the authenticator. > > update-poliy { > grant . tcp-self * PTR; > }; > Thats dangerous 14m1337.u.suck.hax0r.org -yeah, it would be highly abused and why most ISP's don't do/allow it :) But for a small company that has trustworthy staff, maybe, but then mail servers will start rejecting some of them trying to send directly because theres likely no matching A record. > Mark <> signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
thanks for your comment. But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. > From: spa...@countryday.net > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > Date: Mon, 5 Mar 2012 21:15:53 + > > > Can anyone help me with its experience on reverse dns for IPV6? > > Presently, when we reverse an IPV4 subnet for clients, we configure all the > > reverse for the whole subnet. > > It is a lot of PTR's but perfectly manageable. > > With IPV6, the number of IP's that we will receive is amazing > > So...it seems impossible for every single IPV6 inthe range to configure a > > PTR. > > So...what to do? > > What is the common practice? > > What is possible with BIND? > > For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup > zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our > ISP. I included PTR records only for those hosts accessible from the > outside. Internal DNS is Windows Active Directory integrated. Here's a sample > from the zone file, which contains about 25 PTR records in all: > > $ORIGIN . > $TTL 3600 ; 1 hour > a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. > hostmaster.countryday.net. ( > 2012030101 ; serial > 86400 ; refresh (1 day) > 3600 ; retry (1 hour) > 1209600; expire (2 weeks) > 3600 ; minimum (1 hour) > ) > NS ns1.countryday.net. > NS ns2.countryday.net. > $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. > a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net. > $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. > 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net. > > I would also be interested in hearing about the practices of others. Jeff. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
In message , hugo hugoo writes: > > Dear all, > > Can anyone help me with its experience on reverse dns for IPV6? > Presently, when we reverse an IPV4 subnet for clients, we configure all= > the reverse for the whole subnet. > It is a lot of PTR's but perfectly manageable. > > With IPV6, the number of IP's that we will receive is amazing > So...it seems impossible for every single IPV6 inthe range to configure a P= > TR. > > So...what to do? > What is the common practice? > What is possible with BIND? > > Thanks in advance for your answer. Let the machines register their own PTR record using TCP as the authenticator. update-poliy { grant . tcp-self * PTR; }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
> Can anyone help me with its experience on reverse dns for IPV6? > Presently, when we reverse an IPV4 subnet for clients, we configure all the > reverse for the whole subnet. > It is a lot of PTR's but perfectly manageable. > With IPV6, the number of IP's that we will receive is amazing > So...it seems impossible for every single IPV6 inthe range to configure a PTR. > So...what to do? > What is the common practice? > What is possible with BIND? For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our ISP. I included PTR records only for those hosts accessible from the outside. Internal DNS is Windows Active Directory integrated. Here's a sample from the zone file, which contains about 25 PTR records in all: $ORIGIN . $TTL 3600 ; 1 hour a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. hostmaster.countryday.net. ( 2012030101 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 1209600; expire (2 weeks) 3600 ; minimum (1 hour) ) NS ns1.countryday.net. NS ns2.countryday.net. $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net. $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net. I would also be interested in hearing about the practices of others. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users