ipv6 adoption
Mark Tinka
mark at tinka.africa
Wed Feb 16 13:25:07 UTC 2022
On 2/16/22 14:38, Andrew Baker via bind-users wrote:
> Firstly, we are running bind 9.11 on Debian 10 hosts.
>
> * Is it worth use upgrading to Debian 11 to get the newer version of
> bind?
>
I don't run Linux, but shouldn't it be possible to just upgrade only
BIND on your current Linux release, without having to change major OS
versions?
> *
>
>
>
> * Are there any issues/bugs/holes in 9.11 that will cause us a
> problem, especially if we start messing with ipv6?
>
None that I can tell.
We are running bind911-9.11.36 happily as a resolver. Given
authoritative name servers would be less busy, I imagine you'll be fine
from that standpoint.
> *
>
>
>
> * If I do upgrade the on-premise servers, is it better to do master
> then slaves or the other way around?
>
I've done both ways, because I've found it doesn't matter, especially if
you have more than one master.
> * If we have DNSSEC configured, is it going to break anything
> upgrading? (I have lots of backups of the zones and hosts files)
>
Take your time understanding DNSSEC, and how to set it up. I'd do this
long after adding IPv6 support, as that is what is most urgent, if I
hear you right.
> Secondly, reference bind config
>
> * For the “listen-on-v6” statement, are the only options still
> ‘none’ or ‘all’?
>
On all our name servers, we have this:
listen-on-v6 { any; };
Works great.
> *
>
>
>
> * Can the “listen-on-v6” only be enabled globally in the
> ‘named.conf.options’ or is it possible to enable per zone as we
> are (currently) only going to have 1 zone needing ipv6?
>
Good question - I don't know.
But I'd suspect it's a global setting, because the protocol BIND listens
on has nothing to do with what it answers, i.e., you can carry an IPv6
response over IPv4.
> * Once ipv6 is enabled. Is it advisable to setup a sub-domain for
> the ipv6 addresses to avoid dual-stacking?
>
You could if you want to, but there is no relationship between the
A/AAAA records in the zone, and how the server's TCP/IP stack is configured.
We just have all IPv4 and IPv6 records in the same zone, with the server
dual-stacked.
> *
>
>
>
> The reverse zones for our ipv4 are handled (badly) by our local
> telecoms provider. How big an issue is it going to be for ipv6 if the
> reverse lookups are badly/not implemented?
>
You can choose to handle your own PTR, assuming the IPv6 space is yours.
Unless I misunderstand...
> If our ISP can’t give us a public ipv6 address, can we still run our
> bind to give out ipv6 addresses or not?
>
Yes - you can answer to IPv6 DNS queries, and provide that answer over
IPv4, i.e., you can answer an AAAA query over IPv4. The answer and the
transport don't have to be congruent.
> Finally, can anyone point me towards any good reading on bind
> configuration and DNS best practice (preferably with idiot proof
> examples)? I must decide fairly quickly if we roll this zone back to
> our domain registrar who is setup to handle ipv6 or do we strike out
> and bring our DNS setup up to date and future proofed!
>
https://www.oreilly.com/library/view/dns-and-bind/9781449308025/
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220216/6660f77e/attachment-0001.htm>
More information about the bind-users
mailing list