[dns-operations] fewer PTRs plz (Re: reverse DNS for DHCPV6 and PD's)

Mark Andrews marka at isc.org
Wed Jun 15 00:38:36 UTC 2011

In message <F9864532-B291-4ED2-9DB7-066207C58D82 at hopcount.ca>, Joe Abley writes
> On 2011-06-13, at 21:37, Mark Andrews wrote:
> > Just let the hosts update its own PTR records.  Windows machines
> > already attempt to do this.  If the home user has a forward zone
> > then it will point to that zone.  If not ISP's may wish to offer
> > to host forward zones for their customers.
> >=20
> > N records free then $/M records there after.
> How would you suggest an ISP and its customers might secure the dynamic =
> updates?

For forward zones TSIG.  This would probably mean named would grow
the ability to read a external database keyed by TSIG key name.
TSIGs would not have to be defined in named.conf anymore.  ISP's
already have account/password pairs that can be used as keyname/<shared
secrets> for TSIG or they can generate seperate TSIGs and link them
in their customer database.

For reverse zones TCP is strong enough for PTR's.  named alread has
"tcp-self" and "6to4-self" (same /48 tcp connection, matching IPv4
address tcp connection for 2002:<IPv4>:/48 reverse), adding /64-self,
/60-self and /54-self would not be hard and would cover 99.9% of
IPv6 reverse names for prefix delegations.  6to4-self was designed
to allow nameservers to add DNAME/NS records to the reverse for
2002::/16 as a alternative to having to use the web interface but
it works for any /48.  Geoff just pushed through with his I-D with
the web interface rather than picking this up.

With 9.8 there is the external pipe which could use the TSIG database
from the forward zones if you need finer/stronger control.  "This
TSIG" can update "this reverse namespace" using the same database
that sets up the DHCP server to respond to PD requests.  It was
added for GSS-TSIG support.

I suspect other vendors can do similar things.

> Joe
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list