IPv6 Reverse DNS
From LinodeWiki
Contents |
[edit] What?
Recently, I decided that in addition to having IPv6 connectivity to my linode, I would also like to have the addresses appear correctly on reverse lookups. However, I am rather pleased with how the linode DNS manager works, so I really didn't want to run my own nameserver. This tutorial explains how I set up nsd, a small footprint, fast, and easy name server to propagate my ipv6 reverse DNS records, using the linode DNS servers as a slave.
[edit] Prerequisites
A working IPv6 set-up. This tutorial assumes the following, your mileage may vary from there:
- A working HE Tunnel Broker Tunnel (you can how use HE's DNS service for reverse as well)
- Ubuntu Something (I'm using 9.04, but this should be pretty version independent)
- Any other distro should work too, there may be slight changes in how the network interface commands work, and you're on your own with building/installing nsd.
- All of your tunnel broker settings.
[edit] /etc/network/interfaces
Right now, my interfaces file contains this:
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
address 2001:470:a:a::2
netmask 64
endpoint 209.51.161.58
local 72.14.XXX.XXX
up ip route add ::/0 dev he-ipv6 metric 1
post-up sysctl -w net.ipv6.conf.all.forwarding=1
Now, the problem with this, is that tunnelbroker will not delegate reverse DNS to the main client address. What this means, in a nutshell, is that if you've already set up forward DNS for ipv6, we are going to screw it up. On the tunnel broker tunnel information page, a "Routed /64" appears near the bottom. This subnet is already pointed towards you, we just need to tell your linode to listen to it. So, above the post-up command, I add a few lines:
up ip -6 addr add 2001:470:b:a::1:1/128 dev he-ipv6
up ip -6 addr add 2001:470:b:a::2:1/128 dev he-ipv6
up ip -6 addr add 2001:470:b:a::3:1/128 dev he-ipv6
These lines tell the interface to listen to ::1:1, ::2:1, and ::1:1 on the routed /64 subnet. You'll notice that the third set if hex digits differs from the client address above. This is usually the case with tunnel broker (if my two tunnels are anything to go by). I've configured 3 address, as I have 3 domains (2 domains and a subdomain) that I'd like to resolve correctly. At this point, it may be a good idea to update the AAAA records in the linode DNS manager.
[edit] Linode DNS Manager - Forward DNS
I've added the following based on the appropriate zone:
2001:470:b:a::1:1 AAAA example1.org 2001:470:b:a::2:1 AAAA subdomain.example1.org 2001:470:b:a::3:1 AAAA example2.org
[edit] Installing / Configuring NSD
Next, we need to install nsd. Since I use ubuntu, I just simply:
# apt-get install nsd3
If not enabled, you'll need the universe repository. I have no idea of the merits of v2 (package nsd) vs. v3 (package nsd3). I went with the tried and true "bigger is better". Next, let's make a zone file:
[edit] /etc/nsd3/primary/reverse.zone
# cd /etc/nsd3 # mkdir primary # cd /etc/nsd3/primary # vim reverse.zone
These are the contents of my zone file:
@ IN SOA a.0.0.0.b.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. somebody.gmail.com. (
200906070 ; Serial number (YYYYMMdd)
24h ; Refresh time
30m ; Retry time
2d ; Expire time
3d ; Default TTL
)
; Name server entries
IN NS example1.org.
IN NS ns1.linode.com.
IN NS ns2.linode.com.
; IPv6 PTR entries
$ORIGIN a.0.0.0.b.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa.
1.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0 IN PTR example1.org
1.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0 IN PTR subdomain.example1.org.
1.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0 IN PTR example2.org.
So, if your wondering where the hell all those dots came from, it is literally the address, in reverse, with a dot between each hex digit. Remember, per ipv6, our full address of the first domain was:
2001:0470:000b:000a:0000:0000:0001:0001
Insane, isn't it?
[edit] /etc/nsd3/nsd.conf
Next, we'll configure nsd to serve the zone. Just add these lines to the end of the file:
zone:
name: a.0.0.0.b.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa
zonefile: primary/reverse.zone
notify: 69.93.127.10 NOKEY
provide-xfr: 69.93.127.10 NOKEY
notify: 65.19.178.10 NOKEY
provide-xfr: 65.19.178.10 NOKEY
[edit] Linode DNS Manager - Slave Zone
Next, go into the Linode DNS manager, and add a new zone, named 'a.0.0.0.b.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa', as a slave type. Be sure to turn AXFR on. Note, that as of writing, there is a small bug in the manager, where you need to save the new zone, edit it, and toggle AXFR on (it won't save the setting on creation). Be sure to supply the IPv4 address of your server (external IP, if you have a private IP as well) in the box provided.
[edit] Starting NSD
Next, we should start nsd:
# nsdc rebuild
If there are no errors, then:
# nsdc reload
Again, be sure there are no errors. If you get a "SERVER NOT AUTHORITATIVE FOR ZONE" error, it probably means that AXFR isn't on, or you didn't supply the correct IP address to the linode DNS server.
[edit] Telling tunnel broker to look
Finally, tell tunnel broker to do RDNS delegation. I used
NS1: ns1.linode.com NS2: ns2.linode.com NS3: example1.org (my own server)
[edit] Testing
There are a number of tests you could have done on the way here. I probably did more than nessesary, so I didn't write them all out - if someone wants to write them out, by all means :)
# dig -x 2001:470:b:a::1:1 @localhost +short example1.org
# ping6 example1.org PING example1.org(example1.org) 56 data bytes 64 bytes from example1.org: icmp_seq=1 ttl=64 time=0.059 ms
If you see your server name, rather than a string of hex digits (your IPv6), it works. Keep in mind it takes a little bit of time to propagate. Enjoy.
[edit] 6to4
See Nick's 6to4 page
