[dns-operations] fewer PTRs plz (Re: reverse DNS for DHCPV6 and PD's)
Mark Andrews
marka at isc.org
Wed Jun 15 00:38:36 UTC 2011
In message <F9864532-B291-4ED2-9DB7-066207C58D82 at hopcount.ca>, Joe Abley writes
:
>
> On 2011-06-13, at 21:37, Mark Andrews wrote:
>
> > Just let the hosts update its own PTR records. Windows machines
> > already attempt to do this. If the home user has a forward zone
> > then it will point to that zone. If not ISP's may wish to offer
> > to host forward zones for their customers.
> >=20
> > N records free then $/M records there after.
>
> How would you suggest an ISP and its customers might secure the dynamic =
> updates?
For forward zones TSIG. This would probably mean named would grow
the ability to read a external database keyed by TSIG key name.
TSIGs would not have to be defined in named.conf anymore. ISP's
already have account/password pairs that can be used as keyname/<shared
secrets> for TSIG or they can generate seperate TSIGs and link them
in their customer database.
For reverse zones TCP is strong enough for PTR's. named alread has
"tcp-self" and "6to4-self" (same /48 tcp connection, matching IPv4
address tcp connection for 2002:<IPv4>:/48 reverse), adding /64-self,
/60-self and /54-self would not be hard and would cover 99.9% of
IPv6 reverse names for prefix delegations. 6to4-self was designed
to allow nameservers to add DNAME/NS records to the reverse for
2002::/16 as a alternative to having to use the web interface but
it works for any /48. Geoff just pushed through with his I-D with
the web interface rather than picking this up.
With 9.8 there is the external pipe which could use the TSIG database
from the forward zones if you need finer/stronger control. "This
TSIG" can update "this reverse namespace" using the same database
that sets up the DHCP server to respond to PD requests. It was
added for GSS-TSIG support.
I suspect other vendors can do similar things.
> Joe
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list