ipv6 adoption

Timothe Litt litt at acm.org
Wed Feb 16 15:18:07 UTC 2022 

On 16-Feb-22 07:38, Andrew Baker wrote:
>
> Firstly, thanks for the advice about the hidden master the other day, 
> that’s now setup, working fine and we’ve just finished transferring 
> about 4500 records across!
>
> My software team came up this morning and slapped me across the face 
> with a wet fish (figuratively speaking as It’s not Thursday yet!) by 
> informing me that they are developing a mobile app for one of our 
> companies that Apple have mandated an ipv6 DNS requirement before they 
> publish.
>
> At the moment, all our infrastructure from ISP device inwards is ipv4 
> so setting up the zone on our DNS is going to require a lot of 
> significant changes! There are a couple of things reference all this 
> that I’m unsure about and am hoping you can educate me on.
>
> Firstly, we are running bind 9.11 on Debian 10 hosts.
>
>   * Is it worth use upgrading to Debian 11 to get the newer version of
>     bind?
>   * Are there any issues/bugs/holes in 9.11 that will cause us a
>     problem, especially if we start messing with ipv6?
>   * If I do upgrade the on-premise servers, is it better to do master
>     then slaves or the other way around?
>   * If we have DNSSEC configured, is it going to break anything
>     upgrading? (I have lots of backups of the zones and hosts files)
>
> Secondly, reference bind config
>
>   * For the “listen-on-v6” statement, are the only options still
>     ‘none’ or ‘all’?
>   * Can the “listen-on-v6” only be enabled globally in the
>     ‘named.conf.options’ or is it possible to enable per zone as we
>     are (currently) only going to have 1 zone needing ipv6?
>   * Once ipv6 is enabled. Is it advisable to setup a sub-domain for
>     the ipv6 addresses to avoid dual-stacking?
>
> The reverse zones for our ipv4 are handled (badly) by our local 
> telecoms provider. How big an issue is it going to be for ipv6 if the 
> reverse lookups are badly/not implemented?
>
> If our ISP can’t give us a public ipv6 address, can we still run our 
> bind to give out ipv6 addresses or not?
>
> Finally, can anyone point me towards any good reading on bind 
> configuration and DNS best practice (preferably with idiot proof 
> examples)? I must decide fairly quickly if we roll this zone back to 
> our domain registrar who is setup to handle ipv6 or do we strike out 
> and bring our DNS setup up to date and future proofed!
>
> Thanks for your time and expertise.
>
> Andy Baker
>
> **
>
You can get IPv6 via a tunnel broker.  Hurricane Electric 
(http://he.net/) is one of the larger ones.  You can get a /48 from them 
- for free.  Bandwidth is modest.  You can setup reverse zones; they'll 
delegate.  I don't think they support DNSSEC - it's been on their 
wishlist for years.

I use 9.11 (and have used previous) versions of bind with IPv6 - no IPv6 
issues.

Zones have nothing to do with dual stack.  If you create an AAAA record, 
your host can be found via IPv6.  If you create an A record, IPv4.  Both 
gives you "dual stack".  I tend to create x.v[46].example.net style 
names in addition to x.example.net for cases where I want one or the 
other.  This doesn't require a zone - it's just a name.

One reason to not configure your host with both A and AAAA records may 
be that most resolvers will prefer V6, but if you have a tunnel for V6 & 
a wide pipe to your ISP, you may find that you're connecting thru the 
tunnel & limited by its bandwidth.

There is no requirement for named to listen on IPv6 for it to serve AAAA 
records.  That's orthogonal, and dependent on what the resolver(s) can 
live with.

HE has a lot of IPv6 educational materials (not bind-specific) that are 
quite good.

Depending on where you are in the world, there are other brokers.  I 
switched to HE when SiXXS went out of business and have been happy.  I 
have no other connection to HE.  YMMV.

DNSSEC doesn't care what transport protocol is used or what records are 
served.  It just signs them.  Moving, you do need to make sure that the 
keys and delegations are present on the receiving end.  Once the move is 
complete, it may be a good time to do a key roll.

Finally, it's not clear from your note how you're setup, but if you run 
your own servers, you need to meet the geographic dispersion rules.  At 
least 2 servers in two places.  That's true no matter what protocols you 
use.  There are backup DNS services that support IPv6.  A free one that 
supports both IPv6 and DNSSEC is puck.nether.net/dns.

There are plenty of DNS books/guides.  I'll let someone else do the reviews.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220216/249efa34/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220216/249efa34/attachment-0001.sig>

More information about the bind-users mailing list