ipv4, ipV6 DNS BIND configuration and deployment

Mon Aug 5 03:01:32 UTC 2013

Mark,

I really did not mean things that way when I used the word "happy". Let 
say that I am concerned with it and that means if anyone can express 
their views towards being more secure with ipv6, I am sure to 
considerate it. We probably diverge on opinions about exposing MAC 
addresses as a public address and that is ok and maybe it is not a big 
deal anyway.

Thanks for your views on the issue!

Eduardo

On 8/4/13 6:12 PM, Mark Andrews wrote:
> In message <51FEB96D.3070800 at pacbell.net>, Eduardo Bonsi writes:
>> Hello Everyone,
>>
>> I have some questions about ipV6 transition and DNS configuration!
>>
>> I am preparing to make my transition to a dual stack ipv4, ipv6 and I
>> have some concerns in regards to the security of the network since ipv6
>> do not have NAT. My ISP gave me a Global
>> 2602:000:000:000:000:000:000:000/64
>
> Truly, your ISP should be giving you a /48 or as a minumum a /56.
> A /64 is is single subnet.  Your ISP will be getting addresses based
> on giving customers a /56 or /48.
>
>> Range and I can just turn on ipV6 on
>> the router and set the network to automatic on the computer and I am
>> connected through what they call a SLAAC ipV6 automatic conf network,
>> that runs using the machine MAC address in which I am not very happy to
>> adopt. I well know there is a way to mask the MAC address  to random
>> addresses as a security measure but I am still not happy about it.
>
> And why are you not happy?  Because someone said their was a issue
> with it.  Do you understand the reasoning behind the issue and does
> it apply to your use of the network because in many cases it doesn't.
>
> Too often I see people complaining that MAC addresses are buried
> in IPv6 addresses when in reality it is *not* a security issue for
> the use case.
>
> Modern IPv6 stacks use both types of address for different purposes.
> Saying one is unhappy is quite often a knee jerk reaction that
> doesn't standup to rigorous analysis.  This is not to say you havn't
> done that analysis but given modern stacks I find complaints like
> this just don't stack up.
>
>> Beside, there are all the BIND DNS configuration that needs to be routed
>> or I am stack with a slow broke SLAAC connection that it works, but not
>> to the level of the a DNS Server that I want to achieve. Therefore, as a
>> network design after analyzing my options, I have decided to use the
>> static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
>> bit of the ipv4 NAT addresses already in place. This static option does
>> not expose the machine MAC addresses.
>>
>> However the addresses are directed
>> connected through ipV6 bypassing the NAT environment. On BIND, the only
>> change I have in the named.conf file is the,
>>
>> listen-on-v6 { any; };
>>
>> Therefore, here are my questions:
>>
>> 1. I am open to ideas or anything you think is best choosing the best
>> internal network design for ipV6.
>
> Get more address space from your ISP.  Use tempory addresses.
>
>> 2. Since this static ipV6 deployment lacks the non-rotatable NAT
>> environment, what are the security measures to take on BIND in regards
>> to the recursive issues on ipV6?
>
> Same as with IPv4.  Locally connected networks are allowed to
> recurse.
>
>> 3. Are there any other security issues that should I considerate?
>>
>>
>> Many Thanks!
>>
>> Eduardo
>>
>> --
>> Eduardo Bonsi
>> System - Network Admin
>> beartcom at pacbell.net
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com