IPv6 and DNS for the residential service provider
Florian Lohoff
f at zz.de
Tue Sep 25 10:13:09 CEST 2012
On Tue, Sep 25, 2012 at 09:56:22AM +0200, Jeroen Massar wrote:
> >> 2) wildcard reverse DNS. This also breaks forward>reverse since as
> >> far as I know you can't have a wildcard forward lookup?
>
> One can set up a scriptable DNS server, PowerDNS seems to be a favorite
> there, and script the forward/reverse generation.
> >> 3) Dynamic DNS updates. At first this sounds interesting, except that
> >> from what I can tell most current OSs don't by default register in
> >> DNS, and if they do, don't use the domain obtained by DHCP unless that
> >> is enabled as well. And, IP-based DNS updates are inherently
> >> insecure.
> >
> > This is inherently insecure and open to DOS Attacks. And how do you
> > link RADIUS Accounting with DNS to delete all records a previous
> > user left behind?
>
> You could like, do it simple in todays always-on Internet usage: static
> assignments.
>
> Also makes abuse tracking soooo much easier as the IP is always the
> person it links to.
>
> But ISPs do not like to do that as then there is little reason to sell
> the overpriced static-IP-for-"businesses" version... next to some people
> fear mongering over the tracking aspect of their usage which will happen
> to them anyway.
I'd like to do static-address-prefix everywhere but the publics opinion
in Germany is pushed into the direction where as statics are a privacy
problem. Lets not discuss this too far - it boils down to the need to
enable users to optionally change their prefix on a regular basis.
So - if you allow customers to update their DNS you need a mechanism to
clean up after them in case the prefix changes. And be careful about
TTLs the customer might set :)
Previously we were caculating the prefix from the RADIUS Submitted
Agent-Circuit-Id - so every DSLAM hat an assigned ipv6 prefix and the
first port got the first /56 from that prefix. As long as you are on the
same physical port on the DSLAM you get the same prefix.
Flo
--
Florian Lohoff f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120925/3196e689/attachment.sig>
More information about the ipv6-ops
mailing list