PTR records for v6 hosts

Sun Sep 6 02:04:51 CEST 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stig Venaas <stig at venaas.com> writes:

> Mark Milhollan wrote:
>> On Mon, 31 Aug 2009, Lionel Elie Mamane wrote:
> [...]
>> I expect an ISP provided, predefined generic name for every address
>> in the entire allocation will predominate for many years, making
>> things like Martin List-Petersen's pdns pipe very attractive (since
>> it would kill BIND, and others, to actually populate such a zone).
>> Perhaps using base 32 (or 64) encoding instead of merely 16, easy as
>> it is to "see" the ip address when using hex.
>
> Do you know if anyone has written something like the pdns for BIND? I've
> thought about writing something like that using BIND's sdb back-end. It
> should be easy but I never got around to it. I might try to implement
> one unless it's been done already...

I'm not sure why you'd want to populate the entire reverse ip address
space, merely populating the used ipv6 ips with the machines that need
reverse ips should be enough. I just leave the reverses static as the
machines involved are on a dedicated tunnel or a roaming tunnel.

On bind9:

For forward lookups, to dynamically update bind9, what I have done, on a
small scale, is use the nsupdate utility, wrapped in a small script with
tsig.

To create a machine for the first time I:

#mkroam.sh
#!/bin/sh

if [ $# = 1 ]
then
dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n USER $1
else
echo must be a user domain name in the format name.example.org
fi

The resulting public key gets transmorphed (currently by hand) into a
file on the name server called keys.conf. 

key dave.roam.example.com. {
    	algorithm HMAC-MD5;
    	secret "jvtC/ZRUI24A2BC$218jkH2X2hIi562a1o2/1vzm ljV9fiZjC/JHZds4p 4c5kHTJql32s5BJQuPGIM/1HrnvmsA==";
};

The latest alpha of bind9 (due out next week, I'm told) comes with a
tool that generates keys in the correct format, so you don't have to use
dnssec-keygen for it.

And then the update script on the client pc (fired off a minute after the device
initializes to give it time to acquire addresses)

#!/bin/sh
export SERVER=nsipv6.example.com
export SUBDOMAIN=roam.example.com
if [ $# = 2 ]
then
export USER=$1
export AAAA=$2
nsupdate -d -R /dev/urandom -k /etc/dnskey/K$USER.$SUBDOMAIN.*.private -v <<BBBB
server $SERVER
zone $SUBDOMAIN
update delete $USER.roam.example.com. AAAA
update add $USER.roam.example.com. 600 AAAA $AAAA
show
send
BBBB
else
echo "usage: USER New_AAAA"
fi

The update script could be improved (for example, checking to see if the
dns name was already registered and not doing an update in that case,
registering all or a subset of AAAA addresses based on EUI-64 or not,
etc). I have not got around to trying reverse zone updates. 

Will it scale? I don't know. You can do updates via udp, I can't think
of anything much more terse than that. 

Is it small enough to fit on a cpe? The nsupdate utility is 51k in size,
but relies on a plethora of libraries to do its job.

The joy in this is that I can actually get my email via good old SMTP,
no matter where I am, as well as have a static ipv6 based dns name, no
matter where I am. 

>
> Stig
>

- -- 
Dave Taht
http://the-edge.blogspot.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iEYEARECAAYFAkqi/J8ACgkQpdejJcOV4uTkOwCfV6K1A8uobM0KJb2Xm/RqPquz
jBoAn1wuSjpiwhDpdKhRq2F1cPClIiDY
=dHR5
-----END PGP SIGNATURE-----