IPv6 and DNS for the residential service provider

Florian Lohoff f at zz.de
Tue Sep 25 10:13:09 CEST 2012 

On Tue, Sep 25, 2012 at 09:56:22AM +0200, Jeroen Massar wrote:
> >> 2) wildcard reverse DNS.  This also breaks forward>reverse since as
> >> far as I know you can't have a wildcard forward lookup?
> 
> One can set up a scriptable DNS server, PowerDNS seems to be a favorite
> there, and script the forward/reverse generation.

> >> 3) Dynamic DNS updates.  At first this sounds interesting, except that
> >> from what I can tell most current OSs don't by default register in
> >> DNS, and if they do, don't use the domain obtained by DHCP unless that
> >> is enabled as well.  And, IP-based DNS updates are inherently
> >> insecure.
> > 
> > This is inherently insecure and open to DOS Attacks. And how do you
> > link RADIUS Accounting with DNS to delete all records a previous
> > user left behind?
> 
> You could like, do it simple in todays always-on Internet usage: static
> assignments.
> 
> Also makes abuse tracking soooo much easier as the IP is always the
> person it links to.
> 
> But ISPs do not like to do that as then there is little reason to sell
> the overpriced static-IP-for-"businesses" version... next to some people
> fear mongering over the tracking aspect of their usage which will happen
> to them anyway.

I'd like to do static-address-prefix everywhere but the publics opinion
in Germany is pushed into the direction where as statics are a privacy
problem. Lets not discuss this too far - it boils down to the need to 
enable users to optionally change their prefix on a regular basis.
So - if you allow customers to update their DNS you need a mechanism to
clean up after them in case the prefix changes. And be careful about
TTLs the customer might set :)

Previously we were caculating the prefix from the RADIUS Submitted 
Agent-Circuit-Id - so every DSLAM hat an assigned ipv6 prefix and the
first port got the first /56 from that prefix. As long as you are on the
same physical port on the DSLAM you get the same prefix. 

Flo
-- 
Florian Lohoff                                                 f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120925/3196e689/attachment.bin

More information about the ipv6-ops mailing list