 |
One for the globally valid domain names and routable addresses, |
|
One, or more, for the link local addresses and corresponding names, |
|
Maybe, one or more zones if a site is using site-local or organization local addresses. |
Setting up correctly DNS with IPv4 is already somewhat complex, but don't worry, doing it for IPv6 is not rocket science, ... but close.
This page gives some guidelines on how to properly setup DNS in support of IPv6. Within the examples, the important items are hyperlinked to the relevant portion of text explaining them.
Introduction
DNS Platform
Study case scenario
BIND Configuration File
Forward lookup zone file
Global names
Reverse lookup zone files
Local addresses
Global addresses
Copyright
There is not yet a native IPv6 DNS root server. At the present time the DNS implementations available all run on top of IPv4, and the DNS system supporting IPv6 is linked to IPv4 information. However, some of the DNS implementations begin to support native IPv6 transportation such as bind8 with KAME patch, newbie and bind9(under developing).
RFC1886 defines the changes that need to be made the DNS to support IPv6. The changes include a new resource record type, AAAA record. Currently, AAAA record is used in order to store an IPv6 addresses because the extensions are designed to be compatible with existing DNS implementations.
In addition to RFC1886, there is another DNS extensions to support IPv6 addresses. Draft-ietf-ipngwg-dns-lookups-06 supports renumberable and aggregatable IPv6 addressing. But no implementation which support the extensions is available. Bind9 will support it but under developing.
Furthermore, RFC 1912 provides recommendations on how to setup DNS for IPv4. It insists in particular on declaring local zone files for the reverse lookup of loopback and broadcast addresses so that the load on the root name servers is minimized. The setup described here follows the same philosophy, but applied to IPv6.
The recommended platform for running DNS with IPv6 is BIND 8.2.2-P5. Although previous BIND version (starting with 4.9.4) could be used as well, BIND 8.2.2-P5 is preferred, because:
| > | This is the currently developed code; |
| > | IPv6 will eventually make extensive use of dynamic updates, and other recent enhancements to the DNS protocol. Those are supported in BIND 8.*; |
| > | If one is already playing with IPv6, he/she should have the right mindset to undertake a quantum leap with his/her DNS platform; |
| > | Security reasons. |
The use of DNS in support of IPv6 as described here will therefore assume that BIND 8.2.2-P5 is in place. The most recent BIND kits are available from the Internet Software Consortium.
By the way, If you want to use the bind8 which supports IPv6 native transportation, KAME provides an IPv6 transportation patch for bind-8.1.2.
The different files described here correspond to the actual setup in use by the ipv6domain-tottaro organization.
The organization uses the domain ipv6-tottaro.org for the computer lab where systems are connected to the 6Bone. In order to avoid mixing IPv6 and IPv4 attributes for domain names, it has been decided to list all the IPv6 hosts and resources within the v6.ipv6domain-tottaro.org subdomain. The principal (and primary) nameserver in use is ns.ipv6domain-tottaro.org The resolver on all the hosts in the computer lab are using as ns.ipv6domain-tottaro.org their name server.
The BIND configuration file (usually /etc/named.conf) instructs the BIND name server about the zone files it is serving. The following configuration is in place on ns.ipv6domain-tottaro.org:
/*
* BIND 8.2.2 boot configuration file
*
* Author: Bertrand Buclin
*
* Modification History:
* 16-Sep-97 Buclin
* Initial Version
* 31-Jan-00 Sekiya
* Revised
*/
options {
directory "/var/named";
};
//
// localhost
//
zone "localhost" {
type master;
file "localhost";
};
//
// IPv4 zone files
//
zone "." {
type hint;
file "root.cache" ;
};
zone "1.0.0.127.in-addr.arpa" {
type master;
file "localhost";
};
//
// IPv6 zone files
// ==========
//
// First, load the zone for the IPv6 loopback address.
//
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int." {
type master;
file "localhost";
};
//
// If your IPv6 domain is "ipv6domain-tottaro.org", you need below zone.
//
zone "v6.ipv6domain-tottaro.org" {
type master;
file "v6.ipv6domain-tottaro.org";
};
//
// Reverse lookup zones
// If you have 3ffe:800::/24 pTLA ID, you need below zone.
//
zone "0.8.e.f.f.3.ip6.int" {
type master;
file "3ffe:08";
};
//
// If you have 3ffe:801::/32 pNLA ID, you need below zone.
//
zone "1.0.8.0.e.f.f.3.ip6.int" {
type master;
file "3ffe:0801";
};
//
// If you have 2001:200::/35 sTLA ID, you need below zones.
//
zone "0.0.0.2.0.1.0.0.2.ip6.int" {
type master;
file "2001:0200:0";
};
zone "1.0.0.2.0.1.0.0.2.ip6.int" {
type master;
file "2001:0200:1";
};
The zone files are stored in the /var/named/ filesystem in prevision of dynamic updates: it might be dangerous to located them on /etc or /usr since with dynamic updates, the system manager does not master the anymore the updates to the zones files. These might grow rapidly (especially when there is some misconfiguration going on...), and could easily fill up the root partition.
The forward lookup zone file is the most straightforward to set up. For each host or domain carrying an IPv6 address, it is simply a matter of adding a AAAA (pronounced quad-A) resource record. There are several forward lookup zones to set up, though:
|
One for the globally valid domain names and routable addresses, |
|
One, or more, for the link local addresses and corresponding names, |
|
Maybe, one or more zones if a site is using site-local or organization local addresses. |
One might be tempted to add the AAAA record to an existing domain name. Although the temptation is big, and it is natural to do so, especially for systems running IPv4 and IPv6, one should think twice before doing it: the AAAA record type is not understood by all DNS resolvers, and some applications might fail when receiving such a record back. Of course, such applications only get what they deserve since they should not ask for something they don't understand... Another situation is when a host is running both stacks and attempts to resolve the name of a remote party. Depending again on the implementation, the calling party might be confused if it is presented with both an IPv4 and IPv6 address... At the end of the day, though, those issues will need to be sorted out to ensure a smooth migration.
The forward translation file for zone v6.ipv6domain-tottaro.org is given below.
; File:v6.ipv6domain-tottaro.org
; IPv6 Domain Tottaro Organization.
; IP v6 test network
;
@ IN SOA ns.ipv6domain-tottaro.org. root.ipv6domain-tottaro.org. (
100013117
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.ipv6domain-tottaro.org.
IN NS ns2.ipv6domain-tottaro.org.
IN NS ns.ipv4domain-tottaro.org.
IN MX 10 mail.ipv6domain-tottaro.org.
;
;
; Network names
;
pTLA-ipv6domain-tottaro IN AAAA 3FFE:800::
sTLA-ipv6domain-tottaro IN AAAA 3FFE:200:0::
IN AAAA 3FFE:200:1000::
pNLA-ipv6domain-tottaro IN AAAA 3FFE:801::
;
; Local hosts
; ------------------
host1 IN AAAA 3FFE:800::2A8:79FF:FE32:1982
IN AAAA 3FFE:800::80
WWW IN CNAME host1.v6.ipv6domain-tottaro.org.
;
host2 IN AAAA 2001:200:1000:0:25F:23FF:FE80:1234
;
host3 IN AAAA 3FFE:801:1000::2EF:6FFF:FE11:2222
host4 IN AAAA 3FFE:801:2000:100:280:9AFF:FE80:3333
;
; Add more hosts !
Similarly to the forward translation of names, the reverse lookups under IPv6 have to cope with the various scopes of the addresses.
There are a few major differences in the way that domain names are used to support IPv6 reverse address lookup compared to IPv4. The first one lies in the fact that the reverse lookup domain names for IPv6 addresses are listed under the IP6.INT domain. The second one is that each digit in the address makes a domain token of its own.
;File: localhost @ IN SOA ns.ipv6domain-tottaro.org. root.ipv6domain-tottaro.org. ( 3 ; Serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS localhost. ; localhost. IN A 127.0.0.1 1.0.0.127.in-addr.arpa. IN PTR localhost. ; localhost. IN AAAA ::1 ; $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR localhost.
The globally routable address must have a reverse lookup defined. Each organization operating a top level aggregator receives a sub-domain corresponding to their TLA. In turn, they will delegate further subdomains to transit providers. The process goes recursively until a prefix is assigned to an end site or network.
The first example below corresponds to a the zone file the pTLA organization would operate, although the actual zone here is that of a pTLA on the 6Bone.
; File: 3ffe:80
; IPv6 reverse lookup zone for 3ffe:800::/24
; For the 6Bone pTLA
; Created: 27 August 1997, by Bertrand Buclin
; Revised: 31 January 2000, by Yuji Sekiya
;
;
@ IN SOA ns.ipv6domain-tottaro.org. root.ipv6domain-tottaro.org. (
100013117
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.ipv6domain-tottaro.org.
IN NS ns2.ipv6domain-tottaro.org.
IN NS ns.ipv4domain-tottaro.org.
;
; Set the origin to the pTLA prefix.
;
$ORIGIN 8.0.e.f.f.3.ip6.int.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR pTLA-ipv6domain-tottaro
2.8.9.1.2.3.e.f.f.f.9.7.8.a.2.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.v6.ipv6domain-tottaro.org.
0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR www.v6.ipv6domain-tottaro.org.
;
; pNLA = 01 (3ffe:801::/32)
;
$ORIGIN 1.0.8.0.e.f.f.3.ip6.int.
@ IN NS ns.ipv6domain-tottaro.org.
IN NS ns2.ipv6domain-tottaro.org.
IN NS ns.ipv4domain-tottaro.org.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR pNLA-ipv6domain-tottaro
;
The second example below shows a zone file for a pNLA site. In this case, all the hosts within the site are listed in this zone. One could also choose to organize the file by subnets, and only use the equivalent of the EUI-64 interface ID in domain label of the resource record.
; file: 3ffe:801
; IP v6 reverse lookup addresses for 3ffe:801::/32 zone
;
;
@ IN SOA ns.ipv6domain-tottaro.org. root.ipv6domain-tottaro.org. (
100013117
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.ipv6domain-tottaro.org.
IN NS ns2.ipv6domain-tottaro.org.
IN NS ns.ipv4domain-tottaro.org.
;
; Subnet 3ffe:801:1000::/64
;
$ORIGIN 0.0.0.0.0.0.0.1.1.0.8.0.e.f.f.3.ip6.int.
2.2.2.2.1.1.e.f.f.f.f.6.f.e.2.0 IN PTR host3.v6.ipv6domain-tottaro.org.
;
; Subnet 3ffe:801:2000:100::/64
;
$ORIGIN 0.0.0.1.0.0.0.0.2.1.0.8.0.e.f.f.3.ip6.int.
3.3.3.3.0.8.e.f.f.f.a.9.0.8.2.0 IN PTR host4.v6.ipv6domain-tottaro.org.