nanog mailing list archives
Re: A crazy idea
From: Mark Andrews <marka () isc org>
Date: Tue, 20 Jul 2021 14:57:13 +1000
It is theoretically possible to completely automate reverse DNS provisioning. It just requires will to do it. Enterprises have been doing automated reverse DNS provisioning for decades now using DNS UPDATE requests from DHCP servers using TSIG or GSS-TSIG. This method does it as part of prefix delegation and provides support for cryptographically secure updates by passing the public key as part of the prefix delegation request. https://www.ietf.org/archive/id/draft-andrews-dnsop-pd-reverse-02.txt You could also just allow DNS UPDATE requests over TCP/IPv6 to add/delete NS and DS records at the /48 level of reverse tree matching the TCP source address. BIND has supported this for over a decade now as it was developed to provide a mechanism to populate the 6to4 reverse zone (2.0.0.2.ip6.arpa). It didn’t get taken up as Geoff Huston decide to go the HTTP route. I would have the DHCPv6 server delete the records when the prefix delegation expires. key DHCP-SERVER { ... }; zone 8.B.D.0.1.0.0.2.ip6.arpa { ... update-policy { // limit to 10 NS records and 5 DS records. grant * 6to4-self . NS(10) DS(5); grant DHCP-SERVER subdomain *; }; }; In both cases the customer populates the delegation and adds DS records as required. This is just bolting together existing technologies. This will not take off unless ISPs buy into the mechanisms. Mark
On 20 Jul 2021, at 03:01, Bryan Fields <Bryan () bryanfields net> wrote: On 7/19/21 8:09 AM, Stephen Satchell wrote:First, I know this isn't the right place to propose this; need a pointer to where to propose an outlandish idea.What would the domain names look like? Let's take my current IP/IPv6 assignments from AT&T: 2600:1700:79b0:ddc0::/64 99.65.194.96/29 The IPv6 delegation would be easy:0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-1. 0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-2.Yup, simple, I do this for my customers (and DS records). However that reverse zone has DNSSEC on it. You'd need a DS record to tie my-DNS-server-1. to the ATT DNS server and your server would need to support DNSSEC. ATT may want to enforce DNSSEC on that zone, but not want to sign stuff they can't control. Just playing devils advocate. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: A crazy idea, (continued)
- Re: A crazy idea Nathan Angelacos (Jul 19)
- Re: A crazy idea Randy Bush (Jul 19)
- Re: A crazy idea tim () pelican org (Jul 19)
- Re: A crazy idea John Waters via NANOG (Jul 19)
- Re: A crazy idea Joe Maimon (Jul 29)
- Re: A crazy idea Daniel Corbe (Jul 29)
- Re: A crazy idea Owen DeLong via NANOG (Jul 29)
- Re: A crazy idea Frank Habicht (Jul 29)
- Re: A crazy idea Owen DeLong via NANOG (Jul 30)
- Re: A crazy idea Mark Andrews (Jul 19)
- Re: A crazy idea Michael Loftis (Jul 20)
- Re: A crazy idea Bryan Fields (Jul 20)
- Re: A crazy idea Chriztoffer Hansen (Jul 20)