Re: reverse dns for IPV6 ranges
2012/3/20 michoski micho...@cisco.com On 3/19/12 11:58 AM, Peter Andreev andreev.pe...@gmail.com wrote: 2012/3/19 hugo hugoo hugo...@hotmail.com Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about arpaname utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Hmm... Yes, well I can see this as useful (though not much more than a few lines of any programming language?) if you intend to maintain generic placeholders...but not if you want RFC-compliant matching A/PTR. Granted, you should not drop mail in such cases, but many do. I guess tools and best practices take time to catch up to technological leaps. ;-) Or do you actually create A's matching your generic PTR and heavily rely on CNAMEs? Of course that simply won't do for some standard RR types. As much as I dislike djb in general, the way tinydns auto-creates matching PTR (and also provides a mechanism to disable as needed) for each A RR kinda makes sense. Granted, it doesn't do IPv6 at all without 3rd-party hacks...but they do at least exist. -- All his life he has looked away... to the horizon, to the sky, to the future. Never his mind on where he was, on what he was doing. -- Yoda Sorry for my stupidity, but I didn't catch your idea. We have finite number of hardware. Due to geographic distribution, security issues, lots of different prefixes in use, etc we don't use DHCP and assign addresses by hand. So we do with PTRs. Of course I would go crazy if I fill full v6 reverse zone, so I write only those PTRs which are needed. If we assign IP blocks to clients, usually we simply delegate them corresponding reverse zone. -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... Hugo, Date: Mon, 12 Mar 2012 16:28:53 -0500 From: jay-f...@uiowa.edu To: hugo...@hotmail.com CC: bind-users@lists.isc.org Subject: RE: reverse dns for IPV6 ranges On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address-name mappings matching the name-address mappings created by the A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name-address address-name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
2012/3/19 hugo hugoo hugo...@hotmail.com Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... Hugo, We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about arpaname utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Date: Mon, 12 Mar 2012 16:28:53 -0500 From: jay-f...@uiowa.edu To: hugo...@hotmail.com CC: bind-users@lists.isc.org Subject: RE: reverse dns for IPV6 ranges On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address-name mappings matching the name-address mappings created by the A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name-address address-name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On 3/19/12 11:58 AM, Peter Andreev andreev.pe...@gmail.com wrote: 2012/3/19 hugo hugoo hugo...@hotmail.com Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... We use IPv6 in production environment. It was a real headache to fill reverse ip6.arpa zones by hand until I have learned about arpaname utility. Since that maintaining reverse IPv6 zones is just a piece of cake. Hmm... Yes, well I can see this as useful (though not much more than a few lines of any programming language?) if you intend to maintain generic placeholders...but not if you want RFC-compliant matching A/PTR. Granted, you should not drop mail in such cases, but many do. I guess tools and best practices take time to catch up to technological leaps. ;-) Or do you actually create A's matching your generic PTR and heavily rely on CNAMEs? Of course that simply won't do for some standard RR types. As much as I dislike djb in general, the way tinydns auto-creates matching PTR (and also provides a mechanism to disable as needed) for each A RR kinda makes sense. Granted, it doesn't do IPv6 at all without 3rd-party hacks...but they do at least exist. -- All his life he has looked away... to the horizon, to the sky, to the future. Never his mind on where he was, on what he was doing. -- Yoda ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On Mon, 19 Mar 2012, hugo hugoo hugo...@hotmail.com wrote: Jay, - Can you give me an example of such configuration? Sure. Say I use a DHCP pool of /64_prefix:a123:b456::/96 within each /64 subnet. For example: subnet DHCP pool _ ___ 2001:db8:0:a::/64 2001:db8:0:a:a123:b456::/96 2001:db8:0:b::/64 2001:db8:0:b:a123:b456::/96 2001:db8:0:c::/64 2001:db8:0:c:a123:b456::/96 Then you put this in every /64 subnet zone: ; *.6.5.4.b.3.2.1.a IN PTR dhcpv6.whatever.edu. ; so that PTR queries for addresses like: 2001:db8:0:a:a123:b456::4 2001:db8:0:b:a123:b456:1:2 2001:db8:0:c:a123:b456:abc:def all return dhcpv6.whatever.edu. To make that less tedious, I create a file called dhcpv6.ptr.inc like this: ; ; dhcpv6.ptr.inc ; include file defining wildcard PTR record for DHCPv6 pools $TTL 86400 @ IN PTR dhcpv6.whatever.edu. ; Each subnet zone file (e.g., zone a.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa for subnet 2001:db8:0:a::/64) pulls in that file via: ; $INCLUDE dhcpv6.ptr.inc *.6.5.4.b.3.2.1.a ; That way if I want to change the name in the PTR record I edit 1 file instead of every zone file. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
HEllo, Has anyone else experience with reverse IPV6 configuration with Bind? Regards, Hugo, From: spa...@countryday.net To: hugo...@hotmail.com CC: bind-users@lists.isc.org Subject: RE: reverse dns for IPV6 ranges Date: Tue, 6 Mar 2012 03:09:42 + But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses never change. If you are going to register PTR records for clients with changeable IPv6 addresses, then you need a dynamic update mechanism. Mark Andrews made a recommendation earlier in this regard. I don't think there is any reason to have PTR records that have no corresponding records in the forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address-name mappings matching the name-address mappings created by the A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name-address address-name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On 05.03.12 22:19, hugo hugoo wrote: But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. Working with reverse DNS and blacklist records in the IPv6 is something very different from IPv4. Each end user will get mote IPs than whole IPv4 internet has, and it's easy to while you _can_ set up IPv6 reverse DNS records, you should not think of them same way as you did in IPv4. SpamHaus has some recommendations related to IPv6 in order to avoid overhauling DNS when abusive client changes IPs to abuse servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a PTR. So...what to do? What is the common practice? What is possible with BIND? For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our ISP. I included PTR records only for those hosts accessible from the outside. Internal DNS is Windows Active Directory integrated. Here's a sample from the zone file, which contains about 25 PTR records in all: $ORIGIN . $TTL 3600 ; 1 hour a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. hostmaster.countryday.net. ( 2012030101 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 1209600; expire (2 weeks) 3600 ; minimum (1 hour) ) NS ns1.countryday.net. NS ns2.countryday.net. $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net. $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net. I would also be interested in hearing about the practices of others. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
In message dub109-w57aa00705e65417a6c57e4ac...@phx.gbl, hugo hugoo writes: Dear all, Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all= the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a P= TR. So...what to do? What is the common practice? What is possible with BIND? Thanks in advance for your answer. Let the machines register their own PTR record using TCP as the authenticator. update-poliy { grant . tcp-self * PTR; }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
thanks for your comment. But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. From: spa...@countryday.net To: hugo...@hotmail.com CC: bind-users@lists.isc.org Subject: RE: reverse dns for IPV6 ranges Date: Mon, 5 Mar 2012 21:15:53 + Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a PTR. So...what to do? What is the common practice? What is possible with BIND? For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our ISP. I included PTR records only for those hosts accessible from the outside. Internal DNS is Windows Active Directory integrated. Here's a sample from the zone file, which contains about 25 PTR records in all: $ORIGIN . $TTL 3600 ; 1 hour a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. hostmaster.countryday.net. ( 2012030101 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 1209600; expire (2 weeks) 3600 ; minimum (1 hour) ) NS ns1.countryday.net. NS ns2.countryday.net. $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net. $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net. I would also be interested in hearing about the practices of others. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On Tue, 2012-03-06 at 08:23 +1100, Mark Andrews wrote: In message dub109-w57aa00705e65417a6c57e4ac...@phx.gbl, hugo hugoo writes: Dear all, Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all= the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a P= TR. So...what to do? What is the common practice? What is possible with BIND? Thanks in advance for your answer. Let the machines register their own PTR record using TCP as the authenticator. update-poliy { grant . tcp-self * PTR; }; Thats dangerous 14m1337.u.suck.hax0r.org -yeah, it would be highly abused and why most ISP's don't do/allow it :) But for a small company that has trustworthy staff, maybe, but then mail servers will start rejecting some of them trying to send directly because theres likely no matching A record. Mark attachment: face-smile.png signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
In message 1330991057.3861.10.camel@tardis, Noel Butler writes: In message dub109-w57aa00705e65417a6c57e4ac...@phx.gbl, hugo hugoo writ es: Dear all, Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all = the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a PTR. So...what to do? What is the common practice? What is possible with BIND? Thanks in advance for your answer. Let the machines register their own PTR record using TCP as the authentic ator. update-poliy { grant . tcp-self * PTR; }; Thats dangerous 14m1337.u.suck.hax0r.org -yeah, it would be highly abused and why most ISP's don't do/allow it :) And is a baseless fear as it can be tracked back to the customer involved or does the ISP permit customers to spoof each other or permit the public to spoof its customers? This isn't wide open UPDATE. Its 1.2.3.4 can update 4.3.2.1.IN-ADDR.ARPA/PTR and only 4.3.2.1.IN-ADDR.ARPA/PTR if the update request comes over TCP. But for a small company that has trustworthy staff, maybe, but then mail servers will start rejecting some of them trying to send directly because theres likely no matching A record. The machine adds its own A / records using TSIG. These can then be updated as it moves around the world. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses never change. If you are going to register PTR records for clients with changeable IPv6 addresses, then you need a dynamic update mechanism. Mark Andrews made a recommendation earlier in this regard. I don't think there is any reason to have PTR records that have no corresponding records in the forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users