nanog mailing list archives

Re: A crazy idea

From: Mark Andrews <marka () isc org>
Date: Tue, 20 Jul 2021 14:57:13 +1000

It is theoretically possible to completely automate reverse DNS provisioning.
It just requires will to do it.  Enterprises have been doing automated reverse
DNS provisioning for decades now using DNS UPDATE requests from DHCP servers
using TSIG or GSS-TSIG.

This method does it as part of prefix delegation and provides support for
cryptographically secure updates by passing the public key as part of the
prefix delegation request.

https://www.ietf.org/archive/id/draft-andrews-dnsop-pd-reverse-02.txt

You could also just allow DNS UPDATE requests over TCP/IPv6 to add/delete NS
and DS records at the /48 level of reverse tree matching the TCP source address.
BIND has supported this for over a decade now as it was developed to provide a
mechanism to populate the 6to4 reverse zone (2.0.0.2.ip6.arpa).  It didn’t get
taken up as Geoff Huston decide to go the HTTP route.  I would have the DHCPv6
server delete the records when the prefix delegation expires.

key DHCP-SERVER {
        ...
};

zone 8.B.D.0.1.0.0.2.ip6.arpa {
        ...
        update-policy {
              // limit to 10 NS records and 5 DS records.
              grant * 6to4-self . NS(10) DS(5);
              grant DHCP-SERVER subdomain *;
        };
};

In both cases the customer populates the delegation and adds DS records as
required.

This is just bolting together existing technologies.

This will not take off unless ISPs buy into the mechanisms.

Mark

On 20 Jul 2021, at 03:01, Bryan Fields <Bryan () bryanfields net> wrote:

On 7/19/21 8:09 AM, Stephen Satchell wrote:

First, I know this isn't the right place to propose this; need a pointer 
to where to propose an outlandish idea.

What would the domain names look like?  Let's take my current IP/IPv6 
assignments from AT&T:

  2600:1700:79b0:ddc0::/64
  99.65.194.96/29

The IPv6 delegation would be easy:

0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-1.
0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. NS my-DNS-server-2.


Yup, simple, I do this for my customers (and DS records).

However that reverse zone has DNSSEC on it.  You'd need a DS record to tie
my-DNS-server-1. to the ATT DNS server and your server would need to support
DNSSEC.  ATT may want to enforce DNSSEC on that zone, but not want to sign
stuff they can't control.

Just playing devils advocate.

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org

Current thread:

Re: A crazy idea, (continued)
- - - Re: A crazy idea Nathan Angelacos (Jul 19)
    - Re: A crazy idea Randy Bush (Jul 19)
    - Re: A crazy idea tim () pelican org (Jul 19)
    - Re: A crazy idea John Waters via NANOG (Jul 19)
    - Re: A crazy idea Joe Maimon (Jul 29)
    - Re: A crazy idea Daniel Corbe (Jul 29)
    - Re: A crazy idea Owen DeLong via NANOG (Jul 29)
    - Re: A crazy idea Frank Habicht (Jul 29)
    - Re: A crazy idea Owen DeLong via NANOG (Jul 30)
- Re: A crazy idea Bryan Fields (Jul 19)
  - Re: A crazy idea Mark Andrews (Jul 19)
- Re: A crazy idea Michael Loftis (Jul 20)
  - Re: A crazy idea Michael Loftis (Jul 20)
    - Re: A crazy idea Bryan Fields (Jul 20)
    - Re: A crazy idea Chriztoffer Hansen (Jul 20)