ipv6 adoption

Mark Andrews marka at isc.org
Wed Feb 16 23:59:10 UTC 2022 


> On 16 Feb 2022, at 23:38, Andrew Baker via bind-users <bind-users at lists.isc.org> wrote:
> 
> Firstly, thanks for the advice about the hidden master the other day, that’s now setup, working fine and we’ve just finished transferring about 4500 records across!
> My software team came up this morning and slapped me across the face with a wet fish (figuratively speaking as It’s not Thursday yet!) by informing me that they are developing a mobile app for one of our companies that Apple have mandated an ipv6 DNS requirement before they publish.

Firstly welcome to the 21st century.

> At the moment, all our infrastructure from ISP device inwards is ipv4 so setting up the zone on our DNS is going to require a lot of significant changes! There are a couple of things reference all this that I’m unsure about and am hoping you can educate me on.
>  
> Firstly, we are running bind 9.11 on Debian 10 hosts. 
> 	• Is it worth use upgrading to Debian 11 to get the newer version of bind?

BIND 9.11 supports IPv6 fine.  There is no reason to upgrade if you just want to add AAAA records
or to use IPv6 as a transport.  That said BIND 9.11 is reaching EOL so its time to upgrade for that reason.

> 	• Are there any issues/bugs/holes in 9.11 that will cause us a problem, especially if we start messing with ipv6?

No.  BIND had supported IPv6 as a transport for over 20 years now.

> 	• If I do upgrade the on-premise servers, is it better to do master then slaves or the other way around?

Doesn’t matter.

> 	• If we have DNSSEC configured, is it going to break anything upgrading? (I have lots of backups of the zones and hosts files)

No.

> Secondly, reference bind config
> 	• For the “listen-on-v6” statement, are the only options still ‘none’ or ‘all’?

Those have never been the only choices.  If you didn’t properly populate the chroot area and you where
using chroot then you couldn’t enumerate the IPv6 interfaces on Linux as it required '/proc/net/if_inet6’
to exist.

> 	• Can the “listen-on-v6” only be enabled globally in the ‘named.conf.options’ or is it possible to enable per zone as we are (currently) only going to have 1 zone needing ipv6?

Listening on IPv6 is parameter of the server not the zone.  For the record listening on IPv4 is also a
parameter of the server.

> 	• Once ipv6 is enabled. Is it advisable to setup a sub-domain for the ipv6 addresses to avoid dual-stacking?

Not really.

> The reverse zones for our ipv4 are handled (badly) by our local telecoms provider. How big an issue is it going to be for ipv6 if the reverse lookups are badly/not implemented?

IPv6 is actually easier as IPv6 address blocks are usually handed out on nibble boundaries (/(n*4) e.g. /32, /48,
/60, /64) which corresponds to break points in the ipv6.arpa tree.  Just add PTR records for the machines that
exist.  IPv4 address blocks are usually not delegated on byte boundaries so you need to have multiple zone or
use CNAMES for /25-/31 sized delegations (See RFC 2317).

> If our ISP can’t give us a public ipv6 address, can we still run our bind to give out ipv6 addresses or not?

Apple want to be able to connect to your servers over IPv6 without using any IPv6 at all.  I suspect that they
test from IPv6-only networks.  The first step is to have some of your servers on IPv6 with AAAA glue records for
them.

> Finally, can anyone point me towards any good reading on bind configuration and DNS best practice (preferably with idiot proof examples)? I must decide fairly quickly if we roll this zone back to our domain registrar who is setup to handle ipv6 or do we strike out and bring our DNS setup up to date and future proofed!
> 
> Thanks for your time and expertise. 
>  
>  
> Andy Baker
>  
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list