IPv6 and DNS for the residential service provider

Florian Lohoff f at zz.de
Tue Sep 25 09:51:11 CEST 2012 

On Mon, Sep 24, 2012 at 02:32:05PM -0400, Ron Vachiyer wrote:
> Hello, (hopefully on-topic for this list!)
> 
> I am looking for some tips as to how to deal with DNS and rDNS in a residential service provider scenario.  This document, http://tools.ietf.org/html/draft-howard-isp-ip6rdns-02, doesn't seem to have been updated in ages and I haven't found any more recent pertinent information.
> 
> Basically, this doc offers the following options to provide forward
> and reverse DNS; our customers are residential and will not be asking
> for, or in a position to, operate reverse delegations themselves.
> 
> 1) not answer at all (NXDOMAIN).  This breaks applications that check
> forward>reverse 
> 
> 2) wildcard reverse DNS.  This also breaks forward>reverse since as
> far as I know you can't have a wildcard forward lookup?

We have gone for this currently.

> 3) Dynamic DNS updates.  At first this sounds interesting, except that
> from what I can tell most current OSs don't by default register in
> DNS, and if they do, don't use the domain obtained by DHCP unless that
> is enabled as well.  And, IP-based DNS updates are inherently
> insecure.

This is inherently insecure and open to DOS Attacks. And how do you
link RADIUS Accounting with DNS to delete all records a previous
user left behind?

> 4) delegate DNS to the customer gateway (never heard of a platform
> that actually supports this??)

This is what i think is the only viable solution. Its all IP and we
want the IP and all services to be in the hands of the customer. Its
an end-to-end protocol and we want users to be able to control their
own DNS.

Probably this should be done by proxys to enshure TTLs are not way
beyond session lifetime so DNS records are kept in foreign caches
for months.

> 5) "on the fly" record creation.  I find no doc for this other than a
> vague PowerDNS reference, does BIND support something like this?

Flo
-- 
Florian Lohoff                                                 f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120925/40e65a27/attachment.bin

More information about the ipv6-ops mailing list