[dns-wg] Reverse DNS operational considerations in an IPv6 environment

On 16 Jun 2010, at 07:56, Kostas Zorbadelos wrote:

> Of course IPv6 produces a totally different world in many
> things and I guess reverse DNS is one of them.

+1

> Although reverse DNS is used as a weak authentication mechanism today
> (if it can be characterized like that) it is not the only use. It is  
> very
> convenient to see names instead of ugly IPv6 addresses in log files  
> for
> instance.

I tend to agree. Though a cost/benefit analysis tends to suggest this  
convenience might not be worth the pain.

> Now DDNS is another thought. Can you imagine that working however in  
> an
> environment of multi-million mobile and consumer devices powering up  
> often,
> in a secure and scalable way? I find it a challenge, though never say
> never :)

I imagine all sorts of things and you probably don't want to know what  
goes on inside my head. Really. :-)

You're right to say that provisioning IPv6 PTR records for bazillions  
of edge devices is "challenging". In some cases it might not be worth  
the effort. [Would anyone care if the beer cans in my fridge had  
hostnames or if they got renumbered once I'd drunk them?] I think that  
was part of the argument that was being made about not bothering with  
PTRs for IPv6 addresses. Particularly for stuff that had transient or  
rapidly changing connectivity.

>> My personal preference would be to delegate the /80 (or whatever) to
>> the end-user/customer and leave them to choose how to provision that
>> zone. [Your mileage may vary...] This might work fairly painlessly
>> with the tcp-self and 6to4-self hooks to the update-policy{} clause  
>> in
>> BIND 9.7. Though that's still messy. It also relies on well-behaved
>> clients which is perhaps unwise.
>
> The hooks you are referring to in BIND are DDNS stuff?

Yes. The tcp-self and 6to4-self hooks allow clients to change the PTR  
for their own IPv6 address without needing a TSIG or other crypto  
token. The dynamic updates have to be made over TCP though.

> The provider can populate and maintain this space prety much as it
> does today. Consider home equipment, PCs with Windows 7 or any other
> operating system with similar behaviour, which as we noticed, apart  
> from the
> autoconfiguration address, produce random IPv6 addresses used in  
> outgoing
> connections that change every couple of hours or so.
>
> Add to all that some DNSSEC sugar ;-)

Yes. It's delightful, isn't it?

The plug and play semantics of IPv6 pretty much force us down the road  
of DDNS for forward and reverse lookups if name<->address mappings  
matter. That in turn makes DNSSEC "interesting".