Reverse DNS considerations for IPv6

Kostas Zorbadelos OTE David Freedman - ClaraNet

RIPE 61

November 2 1

Reverse DNS in IPv4

Every Internet-reachable host should have a name a!e sure your P"R and # records match$ %or every IP address& there should be a matchin' P"R record in the in-addr$ar(a domain If a host is multi-homed& ma!e sure that all IP addresses have a corres(ondin' P"R record )not *ust the first one+

November 2 1

RIPE 61

2 ! 22

Reverse DNS usa'e in current Internet

Some a((lications use DNS loo!u(s for security chec!s$ %ailure to find matchin' reverse ma((in's is inter(reted as a (otential security concern ,eb sites could use reverse ma((in' to verify -hether the client is located -ithin a certain 'eo(olitical re'ion "#s can be confi'ured not to acce(t mail from clients that have no P"R or a non-matchin' P"R Reverse ma((in's for visitors to services can be used in lo' entries "raceroute out(ut -ith descri(tive reverse ma((in' (roves useful Scorin' mail on the basis of missin' or non-matchin' reverse ma((in' $$$

November 2 1

RIPE 61

" ! 22

DNS Provisionin' Practices : ."E

.ur allocations/
01162123 01152600 01172528 32220021 32202536 32242302 014$052$2$2601 014$065$2$2605 303$324$2$2606 63$028$2$2606 72$026$2$2604 78$384$2$2606 32242621 32262405 32252708 32272626 32022403 75$323$2$2604 74$53$2$2604 51$037$2$2604 14$64$2$2608 3$74$2$2604

Provide authoritative name service for around 329 domains )customers and our o-n+ in-addr$ar(a P"Rs automatically 'enerated by scri(ts for every # record Pre-(o(ulate home$otenet$'r and static$otenet$'r -ith records for our dynamic and static ran'es

November 2 1

RIPE 61

# ! 22

Reverse DNS considerations in IPv6

"he len'th of individual addresses ma!es manual ;one entries cumbersome$ # sam(le/

0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8. 5.0.2.0.a.2.ip6.arpa IN PTR kirk.otenet.gr.

# sin'le customer can have a 646 or 647 assi'nment$ Pre(o(ulation of all (ossible addresses in a ;one is im(ossible$

,hen S<##= is used it is not (ossible to !no- the host address in advance

Po(ular o(eratin' systems 'enerate random tem(orary 'lobal addreses

November 2 1

RIPE 61

$ ! 22

Reverse DNS in IPv6

So& should -e even care about P"Rs in i(6$ar(a>

Do -e further need

kzorba@<machine> !"> ho#t kirk.otenet.gr kirk.otenet.gr ha# IP$6 a%%re## 2a02 580 200 100 kzorba@<machine> !"> ho#t 2a02 580 200 100 0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8. 5.0.2.0.a.2.ip6.arpa %omain name pointer kirk.otenet.gr.
November 2 1 6 ! 22

RIPE 61

"here are a fe- (eo(le that -ill hate this

kzorba@<machine> !"> tracero&te6 '''.goog(e.com tracero&te6 to '''.(.goog(e.com )2a00 1*50 8006 +,- .rom 2a02 580 200 100/ 6* hop# ma0/ 12 b1te packet# 1 2a02 580 200 1 0.261 m# 0.201 m# 0.1+2 m# 2 2a02 580 10. 1 221 %8.. .eea 22c. 0.2,+ m# 0.*12 m# 0.,25 m# , 2a00 1cb8 2000 5 0.2*2 m# 0.25, m# 0.25, m# * 2a00 1cb8 1 2b 0.8+8 m# 0.65+ m# 0.506 m# 5 2a00 1cb8 1 2 *2.,,5 m# *2.*00 m# *6.+2* m# 6 %e"ci020.net.goog(e.com *8.*55 m# *2.+28 m# 28.**2 m# 2 2001 *860 1 0 10 *8.20, m# *2.808 m# 2001 *860 1 0 11 52.52, m# 8 2001 *860 1 0 8 56.62* m# 2001 *860 1 0 *b, 52.,*2 m# 2001 *860 1 0 8 52.02, m# + 2001 *860 1 0 82c 60.05+ m# 52.+2, m# 2001 *860 1 0 2.e 1,*.10* m# 10 2001 *860 2% 60.622 m# 2001 *860 2c 58.602 m# 58.,16 m# 11 2001 *860 0 1 2% 60.282 m# 62.862 m# 58.*28 m# 12 2a00 1*50 8006 +, 61.866 m# 58.68+ m# 61.*8, m#

November 2 1

RIPE 61

% ! 22

@sefulness of i(6$ar(a records

=urrent reality is that P"R records are used in -ea! authentication methods of services "his mi'ht not 'o a-ay in the IPv6 -orld as ?uic!ly as some thin! It is useful to have human readable names in lo' files of servers #lso useful to sho- names in traceroutes =ertain a((lications li!e email can ma!e more use of reverse ma((in's )scorin' mails& create re(utation in domains etc+ $$$

November 2 1

RIPE 61

& ! 22

#((roaches to the (roblem

ain source of information is currently the IE"% Draft %ra.t"ho'ar%"i#p"ip6r%n#"0*

#((roaches discussed in the document are no res(onse& -ildcard match& various Dynamic DNS solutions& dele'ation and dynamically 'enerate P"R -hen ?ueried )on the fly+

November 2 1

RIPE 61

' ! 22

No Res(onse 6 .n the fly res(onses

Provide N34omain res(onse to P"R ?ueries for subscriber addresses$ No -orries for rDNS -ith all the shortcomin's$

ISPs could 'enerate P"R records for addresses as they are re?uested$ "he P"R record is 'enerated on demand )from al'orithm+ and cache or (re-(o(ulate the for-ard )####+ entry for the ""< of the P"R$ #dditional (rocessin' load in 'eneral& DoS countermeasures should be de(loyed$ =ould be used in a DNSSE= environment -ith on-thefly si'natures$

November 2 1

RIPE 61

1 ! 22

Dynamic DNS #((roaches

ItAs a -ay to ensure that for-ard and reverse records match Does it scale> Does anybody do it in a lar'e scale net-or!> .nce interface confi'uration is com(lete hosts could (rovide both #### and P"R u(dates .f course they need to !no- -hich nameservers to u(date ,hat about authentication of u(date re?uests> DoS to the system is (ossible Ille'al or ina((ro(riate strin's could be (rovided as hostnames

November 2 1

RIPE 61

11 ! 22

Dynamic DNS from individual hosts

"he sim(lest case is a residential user -ith a sin'le host connected to the ISP ISP should (rovide address information& recursive nameserver and domain search list via DB=Pv6 Bost determines %CDN by a((endin' hostname and search list Bost (erforms multi(le S.# ?ueries to find the lon'est (refiD dele'ated by DNS admin .nce found& host sends dynamic #### and P"R u(dates Not the default behavior for many hosts ost customers are eD(ected to be connected throu'h a residential 'ate-ay to the ISP

November 2 1

RIPE 61

12 ! 22

Dynamic DNS %rom ###

56RI7IN 0.0.8.b.%.0.1.0.0.2 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR %1n"c&#t12,*.ip$6.pro$i%er.net.

Driven by DB=P ).%%ER+ or R#DI@S )#=="-S"#R"+

PrefiD assi'ned 'iven a -ildcard& sin'le record for the customerAs 'ate-ay .R a set is 'enerated on the fly to cover the -hole (refiD

Removed after-ard -hen lease eD(ires )DB=P+ or user lo's6is lo''ed off )R#DI@S #=="-S".P+

Perha(s tie in authenticated u(dates from your customerAs dele'ated e?ui(ment> )nice to have+

No current im(lementations eDist for IPv6 P"R )sto( me if you !no- of one+

November 2 1

RIPE 61

1" ! 22

Dynamic DNS %rom ###

=able environment )D.=SIS8+ @ser = ERF = "S DB=PD N# ED

0$ = RF re?uests IPv6 <#N PrefiD via = "S to DB=PD$ 3$ DB=PD chec!s = DG and either issues static dele'ated (refiD or from a (refiD-(ool based on customer ty(e 8$ DB=PD informs N# ED via DynDNS of (refiD assi'nment as -ildcard& a sin'le address )'ate-ay+ or an entire set is 'enerated 4$ @ser as!s = RF for lease -hich is assi'ned from dele'ated (refiD 4$ = RF may then u(date N# ED directly for residential leases )by default it u(dates the DNS servers it -as issued via the DB=Pv6 offer+ 6$ once lease has eD(ired& records are removed& alternatively records can be timed out in sync -ith lease of dele'ated (refiD$

= DG

November 2 1

RIPE 61

1# ! 22

Dynamic DNS %rom ###

DS< environment )PPP+ H @ser Router uch the same N#S6R#S R#DI@S #@"B R#DI@S #==" N# ED

0$ Router ma!es PPP call to N#S6R#S& ne'otiates IPv6=P as N=P& N#S6R#S consults R#DI@S 3$ R#DI@S as!s = DG& 'ets transfer (refiD and dele'ated (refiD )if static+ else uses a (ool 8$ N#S6R#S issues %ramed-IPv6-PrefiD to Router )via R#+ and as!s for Static %ramed-Interface-ID of a !no-n value )to (revent router S<##=+& also issues Dele'ated-IPv6-PrefiD in res(onse to Router DB=Pv6 Re?uest$ 4$ R#DI@S #ccountin' record )#cct-Start+ then used to u(date N# ED& %ramed-IPv6-PrefiD )-ith static %ramed-Interface-IDs+ (o(ulated as t(o records in the reverse ;one )@ser E N#S6R#S+$ Dele'ated (refiD as before )-ildcard or eD(anded+

= DG

4$ Router -ill have to ma!e DynDNS u(dates to N# ED itself for its dele'ated (refiD leases 6$ Records removed on #cct-Sto( or timed out if need be

November 2 1

RIPE 61

1$ ! 22

Dele'ation #((roach
56RI7IN 8.b.%.0.1.0.0.2 1.0.0.0 IN N8 n#1..ooc&#tomer.net.

Iery sim(le& ma!e it the customerAs (roblem Not all customers have the s!illset and means to do this

ore fre?uent dele'ations mean more fre?uent lame dele'ations )R%=0508+

Re'ular audits ho-ever should (ic! this u(

November 2 1

RIPE 61

16 ! 22

,ildcard records and DNSSE=

56RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa. 9 IN PTR %1n"c&#t12,*.ip$6.pro$i%er.net. ,ildcardin' your 664& 646 and 647 assi'nments =ustomer overrides -ildcard -ith more s(ecifics if need be

,ildcards can be validated in DNSSE= by use of )*+E), field in RRSIF )R%=428464284+

,600 RR8I7 4N8:;< 5 2 ,600 201011,02,000, )201010,12,000, 2+161 <#nip> #'ain& for-ard and reverse do not match& if customer reall- has an a((lication that re?uires this& (unch more s(ecific hole as above ana'ement of such holes may be a ne- system to de(loy

November 2 1

RIPE 61

1% ! 22

,ildcard records and DNSSE=

It -ould actually loo! somethin' li!e this/ 56RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa. 9 IN PTR %1n"c&#t12,*.ip$6.pro$i%er.net. ,600 RR8I7 4N8:;< 5 16 ,600 201011,02,000, )201010,12,000, 2+161 <#nip> "he number 06 allo-s the -ildcard to re(resent the 06 labels of the 646 (refiD -hen in i(6$ar(a format -hilst eDcludin' the null )root+ label on the ri'ht and the -ildcard label on the left J$1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

..e.e.b.%.a.e.%...e.e.b.%.a.e.%.0.0.1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

=overed eDtensively in R%=4284 section 4$D

November 2 1

RIPE 61

1& ! 22

#n .(inion for the immediate future

%or in.rastr/0t/re ran1es 2servers3 net(or4 elements56 =ontinue doin' thin's in the IPv4 -ay& that is& (o(ulate the for-ard ;ones -ith these addresses and create the i(6$ar(a P"Rs automatically via a scri(t

%or 0/stomer assi1nments6 - in case a customer is lar'e enou'h and has DNS eD(ertise& dele'ate his assi'nment to his nameservers alon' -ith any of his domains and 'et done -ith it

November 2 1

RIPE 61

1' ! 22

#n .(inion )cont$+
In the other cases )'eneral broadband users or cor(orate customers+ (re-(o(ulate i(6$ar(a -ith their assi'nments )646 or somethin'+ usin' -ildcard records$ It -ould be 'reat if the customer )only static>+ has some sort of -eb interface to create records under a s(ecified )for-ard+ subdomain for him e$'$

<c&#tomer>.<%omain=.or=c&#tomer#=here> "he customer could choose to lose the -ildcard record in i(6$ar(a and have P"Rs 'enerated based solely on his #### records$ Else& the #### records he creates create holes in the -ildcard match$

November 2 1

RIPE 61

2 ! 22

Cuestions>

November 2 1

RIPE 61

21 ! 22

References

R%=0103 - =ommon DNS .(erational and =onfi'uration Errors

http >>'''..a?#.org>r.c#>r.c1+12.htm(

Reverse DNS in I(v6 for Internet Service Providers draft-ho-ard-is(-i(6rdns-24

http >>too(#.iet..org>htm(>%ra.t"ho'ar%"i#p"ip6r%n#"0*

=onsiderations for the use of DNS Reverse a((in' Draft-ietf-dnso(-reverse-ma((in'-considerations-26

http >>too(#.iet..org>htm(>%ra.t"iet."%n#op"re$er#e"mapping"con#i%eration#"06

November 2 1

RIPE 61

22 ! 22