subject:"RE\: reverse dns for IPV6 ranges"

Re: reverse dns for IPV6 ranges

2012-03-20 Thread Peter Andreev

2012/3/20 michoski 

> On 3/19/12 11:58 AM, "Peter Andreev"  wrote:
> > 2012/3/19 hugo hugoo 
> >>  Jay,
> >>
> >> - Can you give me an example of such configuration?
> >>
> >> As anyone else some examples of IPV6 reverse configuration used in
> >> production environment?
> >>
> >> Thanks for sharing your experience...
> >
> > We use IPv6 in production environment. It was a real headache to fill
> > reverse ip6.arpa zones by hand until I have learned about "arpaname"
> > utility. Since that maintaining reverse IPv6 zones is just a piece of
> cake.
>
> Hmm...  Yes, well I can see this as useful (though not much more than a few
> lines of any programming language?) if you intend to maintain generic
> placeholders...but not if you want RFC-compliant matching A/PTR.  Granted,
> you should not drop mail in such cases, but many do.  I guess tools and
> best
> practices take time to catch up to technological leaps.  ;-)
>
> Or do you actually create A's matching your generic PTR and heavily rely on
> CNAMEs?  Of course that simply won't do for some standard RR types.
>
> As much as I dislike djb in general, the way tinydns auto-creates matching
> PTR (and also provides a mechanism to disable as needed) for each A RR
> kinda
> makes sense.  Granted, it doesn't do IPv6 at all without 3rd-party
> hacks...but they do at least exist.
>
> --
> All his life he has looked away... to the horizon, to the sky,
> to the future.  Never his mind on where he was, on what he was doing.
>-- Yoda
>
>
Sorry for my stupidity, but I didn't catch your idea.

We have finite number of hardware. Due to geographic distribution, security
issues, lots of different prefixes in use, etc we don't use DHCP and assign
addresses by hand. So we do with PTRs. Of course I would go crazy if I fill
full v6 reverse zone, so I write only those PTRs which are needed.
If we assign IP blocks to clients, usually we simply delegate them
corresponding reverse zone.

-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-19 Thread Jay Ford


On Mon, 19 Mar 2012, hugo hugoo  wrote:

 Jay,

- Can you give me an example of such configuration?


Sure.

Say I use a DHCP pool of :a123:b456::/96 within each /64 subnet.

For example:
   subnet DHCP pool
   _  ___
   2001:db8:0:a::/64  2001:db8:0:a:a123:b456::/96
   2001:db8:0:b::/64  2001:db8:0:b:a123:b456::/96
   2001:db8:0:c::/64  2001:db8:0:c:a123:b456::/96

Then you put this in every /64 subnet zone:
;
*.6.5.4.b.3.2.1.a   IN  PTR dhcpv6.whatever.edu.
;

so that PTR queries for addresses like:
   2001:db8:0:a:a123:b456::4
   2001:db8:0:b:a123:b456:1:2
   2001:db8:0:c:a123:b456:abc:def
all return "dhcpv6.whatever.edu".

To make that less tedious, I create a file called "dhcpv6.ptr.inc" like this:

;
; dhcpv6.ptr.inc
; include file defining wildcard PTR record for DHCPv6 pools
$TTL 86400
@   IN  PTR dhcpv6.whatever.edu.
;

Each subnet zone file (e.g., zone a.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
for subnet 2001:db8:0:a::/64) pulls in that file via:

;
$INCLUDE dhcpv6.ptr.inc *.6.5.4.b.3.2.1.a
;

That way if I want to change the name in the PTR record I edit 1 file instead
of every zone file.


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-19 Thread michoski

On 3/19/12 11:58 AM, "Peter Andreev"  wrote:
> 2012/3/19 hugo hugoo 
>>  Jay,
>> 
>> - Can you give me an example of such configuration?
>> 
>> As anyone else some examples of IPV6 reverse configuration used in
>> production environment?
>> 
>> Thanks for sharing your experience...
> 
> We use IPv6 in production environment. It was a real headache to fill
> reverse ip6.arpa zones by hand until I have learned about "arpaname"
> utility. Since that maintaining reverse IPv6 zones is just a piece of cake.

Hmm...  Yes, well I can see this as useful (though not much more than a few
lines of any programming language?) if you intend to maintain generic
placeholders...but not if you want RFC-compliant matching A/PTR.  Granted,
you should not drop mail in such cases, but many do.  I guess tools and best
practices take time to catch up to technological leaps.  ;-)

Or do you actually create A's matching your generic PTR and heavily rely on
CNAMEs?  Of course that simply won't do for some standard RR types.

As much as I dislike djb in general, the way tinydns auto-creates matching
PTR (and also provides a mechanism to disable as needed) for each A RR kinda
makes sense.  Granted, it doesn't do IPv6 at all without 3rd-party
hacks...but they do at least exist.

-- 
All his life he has looked away... to the horizon, to the sky,
to the future.  Never his mind on where he was, on what he was doing.
-- Yoda

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-19 Thread Peter Andreev

2012/3/19 hugo hugoo 

>  Jay,
>
> - Can you give me an example of such configuration?
>
>
>
> As anyone else some examples of IPV6 reverse configuration used in
> production environment?
>
> Thanks for sharing your experience...
>
> Hugo,
>

We use IPv6 in production environment. It was a real headache to fill
reverse ip6.arpa zones by hand until I have learned about "arpaname"
utility. Since that maintaining reverse IPv6 zones is just a piece of cake.


>  > Date: Mon, 12 Mar 2012 16:28:53 -0500
> > From: jay-f...@uiowa.edu
>
> > To: hugo...@hotmail.com
> > CC: bind-users@lists.isc.org
> > Subject: RE: reverse dns for IPV6 ranges
> >
> > On Mon, 12 Mar 2012, hugo hugoo wrote:
> > > Has anyone else experience with reverse IPV6 configuration with Bind?
> >
> > We do static PTR records in the ip6.arpa zones like we do in the
> in-addr.arpa
> > zones, to create address->name mappings matching the name->address
> mappings
> > created by the  & A records.
> >
> > I fairly recently started fiddling with wildcard PTR records for DHCPv6
> > address pools, to at least return some answer for a query about the
> > addresses. Right now I have it configured so that a query for any
> address in
> > any of the pools returns the same name, but it could be changed to
> return
> > different names for different pools. This obviously doesn't create
> symmetric
> > name->address & address->name mapping, which might or might not be a
> problem.
> > I don't have enough real use of this to know whether this wildcard stuff
> is
> > helpful or not.
> >
> > 
> > Jay Ford, Network Engineering Group, Information Technology Services
> > University of Iowa, Iowa City, IA 52242
> > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-19 Thread hugo hugoo


Jay,
 
- Can you give me an example of such configuration?
 
 

As anyone else some examples of IPV6 reverse configuration used in production 
environment?
 
Thanks for sharing your experience...
 
Hugo,
 

> Date: Mon, 12 Mar 2012 16:28:53 -0500
> From: jay-f...@uiowa.edu
> To: hugo...@hotmail.com
> CC: bind-users@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
> 
> On Mon, 12 Mar 2012, hugo hugoo wrote:
> > Has anyone else experience with reverse IPV6 configuration with Bind?
> 
> We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa
> zones, to create address->name mappings matching the name->address mappings
> created by the  & A records.
> 
> I fairly recently started fiddling with wildcard PTR records for DHCPv6 
> address pools, to at least return some answer for a query about the 
> addresses. Right now I have it configured so that a query for any address in 
> any of the pools returns the same name, but it could be changed to return 
> different names for different pools. This obviously doesn't create symmetric 
> name->address & address->name mapping, which might or might not be a problem. 
> I don't have enough real use of this to know whether this wildcard stuff is 
> helpful or not.
> 
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-12 Thread Jay Ford


On Mon, 12 Mar 2012, hugo hugoo wrote:

Has anyone else experience with reverse IPV6 configuration with Bind?


We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa
zones, to create address->name mappings matching the name->address mappings
created by the  & A records.

I fairly recently started fiddling with wildcard PTR records for DHCPv6 
address pools, to at least return some answer for a query about the 
addresses.  Right now I have it configured so that a query for any address in 
any of the pools returns the same name, but it could be changed to return 
different names for different pools.  This obviously doesn't create symmetric 
name->address & address->name mapping, which might or might not be a problem. 
I don't have enough real use of this to know whether this wildcard stuff is 
helpful or not.



Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-12 Thread hugo hugoo


HEllo,

Has anyone else experience with reverse IPV6 configuration with Bind?

Regards,

Hugo,

> From: spa...@countryday.net
> To: hugo...@hotmail.com
> CC: bind-users@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
> Date: Tue, 6 Mar 2012 03:09:42 +
> 
> > But if only some IP have e reverse..what about the other server who have 
> > received an IP in the range? Ip that can be changed every x hours.
> > IF no reverse, it can be blacklisted for some reasons or having some 
> > problems with services asking a reverse dns resolution.
> 
> In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses 
> never change. If you are going to register PTR records for clients with 
> changeable IPv6 addresses, then you need a dynamic update mechanism. Mark 
> Andrews made a recommendation earlier in this regard. I don't think there is 
> any reason to have PTR records that have no corresponding  records in the 
> forward lookup zone. That would be computationally infeasible anyway. Jeff.
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-09 Thread Matus UHLAR - fantomas


On 05.03.12 22:19, hugo hugoo wrote:
But if only some IP have e reverse..what about the other server who 
have received an IP in the range?  Ip that can be changed every x 
hours.  IF no reverse, it can be blacklisted for some reasons or 
having some problems with services asking a reverse dns resolution.


Working with reverse DNS and blacklist records in the IPv6 is something 
very different from IPv4. Each end user will get mote IPs than whole 
IPv4 internet has, and it's easy to 

while you _can_ set up IPv6 reverse DNS records, you should not think 
of them same way as you did in IPv4.


SpamHaus has some recommendations related to IPv6 in order to avoid 
overhauling DNS when abusive client changes IPs to abuse servers.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-05 Thread Spain, Dr. Jeffry A.

> But if only some IP have e reverse..what about the other server who have 
> received an IP in the range? Ip that can be changed every x hours.
> IF no reverse, it can be blacklisted for some reasons or having some problems 
> with services asking a reverse dns resolution.

In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses 
never change. If you are going to register PTR records for clients with 
changeable IPv6 addresses, then you need a dynamic update mechanism. Mark 
Andrews made a recommendation earlier in this regard. I don't think there is 
any reason to have PTR records that have no corresponding  records in the 
forward lookup zone. That would be computationally infeasible anyway. Jeff.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-05 Thread Mark Andrews


In message <1330991057.3861.10.camel@tardis>, Noel Butler writes:
> 
> > In message , hugo hugoo writ
> es:
> > > 
> > > Dear all,
> > > 
> > > Can anyone help me with  its experience on reverse dns for IPV6?
> > > Presently, when we reverse an IPV4 subnet for clients, we configure all
> =
> > >  the reverse for the whole subnet.
> > > It is a lot of PTR's but perfectly manageable.
> > > 
> > > With IPV6,  the number of IP's that we will receive is amazing
> > > So...it seems impossible for every single IPV6 inthe range to configure
> > > a PTR.
> > > 
> > > So...what to do?
> > > What is the common practice?
> > > What is possible with BIND?
> > > 
> > > Thanks in advance for your answer.
> > 
> > Let the machines register their own PTR record using TCP as the authentic
> ator.
> > 
> > update-poliy {
> > grant . tcp-self * PTR;
> > };
> 
> Thats dangerous   14m1337.u.suck.hax0r.org  -yeah, it would be
> highly abused and why most ISP's don't do/allow it :)

And is a baseless fear as it can be tracked back to the customer
involved or does the ISP permit customers to spoof each other or
permit the public to spoof its customers?  This isn't wide open
UPDATE.  Its 1.2.3.4 can update 4.3.2.1.IN-ADDR.ARPA/PTR and only
4.3.2.1.IN-ADDR.ARPA/PTR if the update request comes over TCP.

> But for a small company that has trustworthy staff, maybe, but then mail
> servers will start rejecting some of them trying to send directly
> because theres likely no matching A record.

The machine adds its own A /  records using TSIG.  These can then
be updated as it moves around the world.  
 
> > Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-05 Thread Noel Butler

On Tue, 2012-03-06 at 08:23 +1100, Mark Andrews wrote:

> In message , hugo hugoo writes:
> > 
> > Dear all,
> > 
> > Can anyone help me with  its experience on reverse dns for IPV6?
> > Presently, when we reverse an IPV4 subnet for clients, we configure all=
> >  the reverse for the whole subnet.
> > It is a lot of PTR's but perfectly manageable.
> > 
> > With IPV6,  the number of IP's that we will receive is amazing
> > So...it seems impossible for every single IPV6 inthe range to configure a P=
> > TR.
> > 
> > So...what to do?
> > What is the common practice?
> > What is possible with BIND?
> > 
> > Thanks in advance for your answer.
> 
> Let the machines register their own PTR record using TCP as the authenticator.
> 
>   update-poliy {
>   grant . tcp-self * PTR;
>   };
> 


Thats dangerous   14m1337.u.suck.hax0r.org  -yeah, it would be
highly abused and why most ISP's don't do/allow it :)
But for a small company that has trustworthy staff, maybe, but then mail
servers will start rejecting some of them trying to send directly
because theres likely no matching A record.




> Mark


<>

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-05 Thread hugo hugoo


thanks for your comment.

But if only some IP have e reverse..what about the other server who have 
received an IP in the range? Ip that can be changed every x hours.
IF no reverse, it can be blacklisted for some reasons or having some problems 
with services asking a reverse dns resolution.


> From: spa...@countryday.net
> To: hugo...@hotmail.com
> CC: bind-users@lists.isc.org
> Subject: RE: reverse dns for IPV6 ranges
> Date: Mon, 5 Mar 2012 21:15:53 +
> 
> > Can anyone help me with  its experience on reverse dns for IPV6?
> > Presently, when we reverse an IPV4 subnet for clients, we configure all the 
> > reverse for the whole subnet.
> > It is a lot of PTR's but perfectly manageable.
> > With IPV6,  the number of IP's that we will receive is amazing
> > So...it seems impossible for every single IPV6 inthe range to configure a 
> > PTR.
> > So...what to do?
> > What is the common practice?
> > What is possible with BIND?
> 
> For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup 
> zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our 
> ISP.  I included PTR records only for those hosts accessible from the 
> outside. Internal DNS is Windows Active Directory integrated. Here's a sample 
> from the zone file, which contains about 25 PTR records in all:
> 
> $ORIGIN .
> $TTL 3600   ; 1 hour
> a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. 
> hostmaster.countryday.net. (
> 2012030101 ; serial
> 86400  ; refresh (1 day)
> 3600   ; retry (1 hour)
> 1209600; expire (2 weeks)
> 3600   ; minimum (1 hour)
> )
> NS  ns1.countryday.net.
> NS  ns2.countryday.net.
> $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
> a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net.
> $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
> 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net.
> 
> I would also be interested in hearing about the practices of others. Jeff.
> 
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
> 
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

2012-03-05 Thread Mark Andrews


In message , hugo hugoo writes:
> 
> Dear all,
> 
> Can anyone help me with  its experience on reverse dns for IPV6?
> Presently, when we reverse an IPV4 subnet for clients, we configure all=
>  the reverse for the whole subnet.
> It is a lot of PTR's but perfectly manageable.
> 
> With IPV6,  the number of IP's that we will receive is amazing
> So...it seems impossible for every single IPV6 inthe range to configure a P=
> TR.
> 
> So...what to do?
> What is the common practice?
> What is possible with BIND?
> 
> Thanks in advance for your answer.

Let the machines register their own PTR record using TCP as the authenticator.

update-poliy {
grant . tcp-self * PTR;
};

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reverse dns for IPV6 ranges

2012-03-05 Thread Spain, Dr. Jeffry A.

> Can anyone help me with  its experience on reverse dns for IPV6?
> Presently, when we reverse an IPV4 subnet for clients, we configure all the 
> reverse for the whole subnet.
> It is a lot of PTR's but perfectly manageable.
> With IPV6,  the number of IP's that we will receive is amazing
> So...it seems impossible for every single IPV6 inthe range to configure a PTR.
> So...what to do?
> What is the common practice?
> What is possible with BIND?

For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup zone 
a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our ISP.  I 
included PTR records only for those hosts accessible from the outside. Internal 
DNS is Windows Active Directory integrated. Here's a sample from the zone file, 
which contains about 25 PTR records in all:

$ORIGIN .
$TTL 3600   ; 1 hour
a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. 
hostmaster.countryday.net. (
2012030101 ; serial
86400  ; refresh (1 day)
3600   ; retry (1 hour)
1209600; expire (2 weeks)
3600   ; minimum (1 hour)
)
NS  ns1.countryday.net.
NS  ns2.countryday.net.
$ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net.
$ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa.
2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net.

I would also be interested in hearing about the practices of others. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

Re: reverse dns for IPV6 ranges

RE: reverse dns for IPV6 ranges

14 matches

Site Navigation

Mail list logo

Footer information