139 Ripe 61 rDNS Kzorba Freedman

8/12/2019 139 Ripe 61 rDNS Kzorba Freedman

1/22

Kostas Zorbadelos OTEDavid Freedman - ClaraNet RIPE 61 November 21

Reverse DNS

considerations for IPv6


2/22

Reverse DNS in IPv4

Every Internet-reachable host should have anamea!e sure your P"R and # records match$

%or every IP address& there should be amatchin' P"R record in the in-addr$ar(adomainIf a host is multi-homed& ma!e sure that all IP

addresses have a corres(ondin' P"R record)not *ust the first one+

November 21 RIPE 61 2 ! 22


3/22

Reverse DNS usa'e in current Internet

Some a((lications use DNS loo!u(s for security chec!s$%ailure to find matchin' reverse ma((in's is inter(reted as a(otential security concern,eb sites could use reverse ma((in' to verify hether theclient is located ithin a certain 'eo(olitical re'ion"#s can be confi'ured not to acce(t mail from clients thathave no P"R or a non-matchin' P"RReverse ma((in's for visitors to services can be used in lo'entries"raceroute out(ut ith descri(tive reverse ma((in' (roves

usefulScorin' mail on the basis of missin' or non-matchin' reversema((in'$$$

November 21 RIPE 61 " ! 22


4/22


5/22

"he len'th of individual addresses ma!es manual ;one entriescumbersome$ # sam(le/0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8.5.0.2.0.a.2.ip6.arpa IN PTR kirk.otenet.gr.

# sin'le customer can have a 6 or 47 assi'nment$ Pre-(o(ulation of all (ossible addresses in a ;one is im(ossible$

,hen S


6/22

Reverse DNS in IPv6

So& should e even care about P"Rs ini(6$ar(a>

Do e further need

kzorba@ !"> ho#t kirk.otenet.grkirk.otenet.gr ha# IP$6 a%%re## 2a02580200100kzorba@ !"> ho#t 2a02580200100

0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8.5.0.2.0.a.2.ip6.arpa %omain name pointerkirk.otenet.gr.

November 21 RIPE 61 6 ! 22


7/22

"here are a fe (eo(le that ill hate this

kzorba@ !"> tracero&te6 '''.goog(e.com

tracero&te6 to '''.(.goog(e.com )2a001*508006+,- rom2a02580200100/ 6* hop# ma/ 12 bte packet#1 2a025802001 0.261 m# 0.201 m# 0.1+ m#2 2a02580101221%8eea22c 0.,+ m# 0.*12 m# 0.,5 m#, 2a001cb820005 0.2*2 m# 0.25, m# 0.25, m#* 2a001cb812b 0.8+8 m# 0.65+ m# 0.506 m#5 2a001cb812 *.,,5 m# *.*00 m# *6.+2* m#

6 %e"ci20.net.goog(e.com *8.*55 m# *.+8 m# 8.**2 m# 2001*8601010 *8.0, m# *.808 m# 2001*8601011 52.52, m#8 2001*860108 56.62* m# 2001*86010*b, 5.,*2 m# 2001*860108 5.0, m#+ 2001*860108c 60.05+ m# 5.+, m# 2001*86010e 1,*.10* m#

10 2001*8602% 60.62 m# 2001*8602c 58.602 m# 58.,16 m#11 2001*86001% 60.282 m# 6.86 m# 58.*8 m#12 2a001*508006+, 61.866 m# 58.68+ m# 61.*8, m#

RIPE 61 % ! 22November 21


8/22

=urrent reality is that P"R records are used in ea!authentication methods of services"his mi'ht not 'o aay in the IPv6 orld as ?uic!ly assome thin!It is useful to have human readable names in lo' filesof servers#lso useful to sho names in traceroutes=ertain a((lications li!e email can ma!e more use of

reverse ma((in's )scorin' mails& create re(utation indomains etc+$$$

November 21 RIPE 61 & ! 22

@sefulness of i(6$ar(a records


9/22

ain source of information is currently theIE"% Draft %rat"ho'ar%"i#p"ip6r%n#"0*

#((roaches discussed in the document are nores(onse& ildcard match& various DynamicDNS solutions& dele'ation and dynamically

'enerate P"R hen ?ueried )on the fly+

November 21

RIPE 61' ! 22

#((roaches to the (roblem


10/22

Provide N34omainres(onse to P"R ?ueries forsubscriber addresses$ No orries for rDNS ith all theshortcomin's$

ISPs could 'enerate P"R records for addresses as

they are re?uested$"he P"R record is 'enerated on demand )fromal'orithm+ and cache or (re-(o(ulate the forard)####+ entry for the ""< of the P"R$

#dditional (rocessin' load in 'eneral& DoS counter-measures should be de(loyed$=ould be used in a DNSSE= environment ith on-the-fly si'natures$

November 21

RIPE 611 ! 22

No Res(onse .n the fly res(onses


11/22

ItAs a ay to ensure that forard and reverse recordsmatchDoes it scale> Does anybody do it in a lar'e scalenetor!>.nce interface confi'uration is com(lete hosts could(rovide both #### and P"R u(dates.f course they need to !no hich nameservers tou(date,hat about authentication of u(date re?uests>DoS to the system is (ossibleIlle'al or ina((ro(riate strin's could be (rovided ashostnames

November 21

RIPE 6111 ! 22

Dynamic DNS #((roaches


12/22

"he sim(lest case is a residential user ith a sin'le hostconnected to the ISPISP should (rovide address information& recursivenameserver and domain search list via DB=Pv6

Bost determines %CDN by a((endin' hostname andsearch listBost (erforms multi(le S.# ?ueries to find the lon'est(refi dele'ated by DNS admin.nce found& host sends dynamic #### and P"R u(dates

Not the default behavior for many hostsost customers are e(ected to be connected throu'h aresidential 'ateay to the ISP

November 21

RIPE 6112 ! 22

Dynamic DNS from individual hosts


13/22

Dynamic DNS %rom ###RI7IN 0.0.8.b.%.0.1.0.0.2

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0IN PTR %n"ct12,*.ip$6.pro$i%er.net.

Driven by DB=P ).%%ER+ or R#DI@S )#=="-S"#R"+

Prefi assi'ned 'iven a ildcard& sin'le record for the customerAs 'ateay.R a set is 'enerated on the fly to cover the hole (refi

Removed afterard hen lease e(ires )DB=P+ or user lo'sis lo''ed off)R#DI@S #=="-S".P+

Perha(s tie in authenticated u(dates from your customerAs dele'atede?ui(ment> )nice to have+

No current im(lementations eist for IPv6 P"R )sto( me if you !no of one+

RIPE 611" ! 22November 21


14/22

Dynamic DNS %rom ###

RIPE 611# ! 22November 21

=RF

=able environment )D.=SIS8+

="S DB=PD N#ED

=DG

0$ = RF re?uests IPv6


15/22

Dynamic DNS %rom ###

RIPE 611$ ! 22November 21

Router

DS< environment )PPP+ H uch the same

N#SR#S R#DI@S#@"B

N#ED

=DG

0$ Router ma!es PPP call to N#SR#S& ne'otiatesIPv6=P as N=P& N#SR#S consults R#DI@S

3$ R#DI@S as!s =DG& 'ets transfer (refi anddele'ated (refi )if static+ else uses a (ool

8$ N#SR#S issues %ramed-IPv6-Prefi to Router)via R#+ and as!s for Static %ramed-Interface-ID ofa !non value )to (revent router S


16/22

Dele'ation #((roach

RI7IN 8.b.%.0.1.0.0.21.0.0.0 IN N n#1.ooctomer.net.

ery sim(le& ma!e it the customerAs (roblem

Not all customers have the s!illset and means to do this

ore fre?uent dele'ations mean more fre?uent lamedele'ations )R%=0508+

Re'ular audits hoever should (ic! this u(

RIPE 6116 ! 22November 21


17/22

,ildcard records and DNSSE=RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa.9 IN PTR %n"ct12,*.ip$6.pro$i%er.net.

,ildcardin' your 64& 6 and 47 assi'nments=ustomer overrides ildcard ith more s(ecifics if need be

,ildcards can be validated in DNSSE= by use of )*+E),field inRRSIF )R%=4284428+

,600 RRI7 4N:; 5 2,600 201011,02,000,)201010,12,000, 2+161

#'ain& forard and reverse do not match& if customer reallhas ana((lication that re?uires this& (unch more s(ecific hole as aboveana'ement of such holes may be a ne system to de(loy

RIPE 611% ! 22November 21


18/22

,ildcard records and DNSSE=

It ould actually loo! somethin' li!e this/

RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa.9 IN PTR %n"ct12,*.ip$6.pro$i%er.net.,600 RRI7 4N:; 5 16,600 201011,02,000,)201010,12,000, 2+161

"he number 06 allos the ildcard to re(resent the 06 labels of the 6(refi hen in i(6$ar(a format hilst ecludin' the null )root+ label on theri'ht and the ildcard label on the leftJ$1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

.e.e.b.%.a.e.%..e.e.b.%.a.e.%.0.0.1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

=overed etensively in R%=428 section $

RIPE 611& ! 22November 21


19/22

#n .(inion for the immediate future

%or in.rastr/0t/re ranes servers3 net(or4 elements5=ontinue doin' thin's in the IPv4 ay& that is& (o(ulate theforard ;ones ith these addresses and create the i(6$ar(a

P"Rs automatically via a scri(t

%or 0/stomer assinments - in case a customer is lar'e enou'h and has DNS e(ertise&dele'ate his assi'nment to his nameservers alon' ith any of his

domains and 'et done ith it

RIPE 611' ! 22November 21


20/22

#n .(inion )cont$+

In the other cases )'eneral broadband users or cor(oratecustomers+ (re-(o(ulate i(6$ar(a ith their assi'nments )6 orsomethin'+ usin' ildcard records$It ould be 'reat if the customer )only static>+ has some sort of

eb interface to create records under a s(ecified )forard+subdomain for him e$'$

.

"he customer could choose to lose the ildcard record ini(6$ar(a and have P"Rs 'enerated based solely on his ####records$ Else& the #### records he creates create holes in theildcard match$



21/22

Cuestions>



22/22

R%=0103 - =ommon DNS .(erational and =onfi'uration Errorshttp'''.a?#.orgrc#rc1+12.htm(

Reverse DNS in I(v6 for Internet Service Providers -draft-hoard-is(-i(6rdns-24httptoo(#.iet.orghtm(%rat"ho'ar%"i#p"ip6r%n#"0*

=onsiderations for the use of DNS Reverse a((in'

Draft-ietf-dnso(-reverse-ma((in'-considerations-26httptoo(#.iet.orghtm(%rat"iet"%n#op"re$er#e"mapping"con#i%eration#"06

RIPE 6122 ! 22

References

November 21
http://www.faqs.org/rfcs/rfc1912.htmlhttp://tools.ietf.org/html/draft-howard-isp-ip6rdns-04http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06http://tools.ietf.org/html/draft-howard-isp-ip6rdns-04http://www.faqs.org/rfcs/rfc1912.html

139 Ripe 61 rDNS Kzorba Freedman

Documents

Transcript of 139 Ripe 61 rDNS Kzorba Freedman