ipv6 adoption

Mark Tinka mark at tinka.africa
Wed Feb 16 13:25:07 UTC 2022 


On 2/16/22 14:38, Andrew Baker via bind-users wrote:

> Firstly, we are running bind 9.11 on Debian 10 hosts.
>
>   * Is it worth use upgrading to Debian 11 to get the newer version of
>     bind?
>

I don't run Linux, but shouldn't it be possible to just upgrade only 
BIND on your current Linux release, without having to change major OS 
versions?


>  *
>
>
>
>   * Are there any issues/bugs/holes in 9.11 that will cause us a
>     problem, especially if we start messing with ipv6?
>

None that I can tell.

We are running bind911-9.11.36 happily as a resolver. Given 
authoritative name servers would be less busy, I imagine you'll be fine 
from that standpoint.


>  *
>
>
>
>   * If I do upgrade the on-premise servers, is it better to do master
>     then slaves or the other way around?
>

I've done both ways, because I've found it doesn't matter, especially if 
you have more than one master.


>   * If we have DNSSEC configured, is it going to break anything
>     upgrading? (I have lots of backups of the zones and hosts files)
>

Take your time understanding DNSSEC, and how to set it up. I'd do this 
long after adding IPv6 support, as that is what is most urgent, if I 
hear you right.


> Secondly, reference bind config
>
>   * For the “listen-on-v6” statement, are the only options still
>     ‘none’ or ‘all’?
>

On all our name servers, we have this:

     listen-on-v6    { any; };

Works great.


>  *
>
>
>
>   * Can the “listen-on-v6” only be enabled globally in the
>     ‘named.conf.options’ or is it possible to enable per zone as we
>     are (currently) only going to have 1 zone needing ipv6?
>

Good question - I don't know.

But I'd suspect it's a global setting, because the protocol BIND listens 
on has nothing to do with what it answers, i.e., you can carry an IPv6 
response over IPv4.


>   * Once ipv6 is enabled. Is it advisable to setup a sub-domain for
>     the ipv6 addresses to avoid dual-stacking?
>

You could if you want to, but there is no relationship between the 
A/AAAA records in the zone, and how the server's TCP/IP stack is configured.

We just have all IPv4 and IPv6 records in the same zone, with the server 
dual-stacked.


>  *
>
>
>
> The reverse zones for our ipv4 are handled (badly) by our local 
> telecoms provider. How big an issue is it going to be for ipv6 if the 
> reverse lookups are badly/not implemented?
>

You can choose to handle your own PTR, assuming the IPv6 space is yours. 
Unless I misunderstand...


> If our ISP can’t give us a public ipv6 address, can we still run our 
> bind to give out ipv6 addresses or not?
>

Yes - you can answer to IPv6 DNS queries, and provide that answer over 
IPv4, i.e., you can answer an AAAA query over IPv4. The answer and the 
transport don't have to be congruent.


> Finally, can anyone point me towards any good reading on bind 
> configuration and DNS best practice (preferably with idiot proof 
> examples)? I must decide fairly quickly if we roll this zone back to 
> our domain registrar who is setup to handle ipv6 or do we strike out 
> and bring our DNS setup up to date and future proofed!
>

https://www.oreilly.com/library/view/dns-and-bind/9781449308025/

Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220216/6660f77e/attachment-0001.htm>

More information about the bind-users mailing list