DNS and BIND on IPv6

DNS and BIND on IPv6
&ULFNHW/LX
Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo
DNS and BIND on IPv6
Ly Ciicket Liu
Copyiight © 2011 Ciicket Liu. All iights ieseiveu.
Piinteu in the Uniteu States ol Ameiica.
PuLlisheu Ly O`Reilly Meuia, Inc., 1005 Giavenstein Highway Noith, SeLastopol, CA 95+72.
O`Reilly Looks may Le puichaseu loi euucational, Lusiness, oi sales piomotional use. Online euitions
aie also availaLle loi most titles (http://ny.sajariboo|son|inc.con). Foi moie inloimation, contact oui
coipoiate/institutional sales uepaitment: (S00) 99S-993S oi corporatc¿orci||y.con.
Editor: Mike Loukiues
Production Editor: Holly Bauei
Proofreader: Holly Bauei
Cover Designer: Kaien Montgomeiy
Interior Designer: Daviu Futato
Illustrator: RoLeit Romano
Printing History:
May 2011: Fiist Euition.
Nutshell HanuLook, the Nutshell HanuLook logo, anu the O`Reilly logo aie iegisteieu tiauemaiks ol
O`Reilly Meuia, Inc. The image ol ciickets anu ielateu tiaue uiess aie tiauemaiks ol O`Reilly Meuia, Inc.
Many ol the uesignations useu Ly manulactuieis anu selleis to uistinguish theii piouucts aie claimeu as
tiauemaiks. Vheie those uesignations appeai in this Look, anu O`Reilly Meuia, Inc., was awaie ol a
tiauemaik claim, the uesignations have Leen piinteu in caps oi initial caps.
Vhile eveiy piecaution has Leen taken in the piepaiation ol this Look, the puLlishei anu authoi assume
no iesponsiLility loi eiiois oi omissions, oi loi uamages iesulting liom the use ol the inloimation con-
taineu heiein.
ISBN: 97S-1-++9-30519-2
¦LSI¦
130+702366
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1. DNS and IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Backgiounu 1
IPv6 anu DNS 2
The ABCs ol IPv6 Auuiesses 2
IPv6 Foiwaiu anu Reveise Mapping +
AAAA anu ip6.aipa 5
Auuing AAAA Recoius to Foiwaiu-Mapping Zones 5
IPv6 Reveise-Mapping Zones 6
Delegation anu Reveise-Mapping Zones 7
Built-In Empty Reveise-Mapping Zones S
2. BIND on IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Listening loi Queiies 11
Senuing Queiies 12
Moie on Queiy Poit Ranuomization 12
Foicing the Use ol a Paiticulai Piotocol 13
IPv6 Masteis anu Slaves 13
Othei IPv6 Zone Tianslei Contiols 1+
IPv6 Netwoiks anu Auuiesses in ACLs 15
Registeiing IPv6 Name Seiveis 16
Delegating to IPv6 Name Seiveis 16
Seivei Statements loi IPv6 Name Seiveis 17
Special Consiueiations 17
Hanuling ¨Monolingual¨ Name Seiveis 17
Hanuling Bioken Resolveis 1S
inuc anu IPv6 19
3. Resolver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Mac OS X 21
v
Vinuows 22
Dynamic Resolvei Conliguiation 2+
Resolvei Conliguiation Using DHCPv6 25
Resolvei Conliguiation Using Routei Auveitisements 25
4. DNS64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Authoiitative Name Seiveis anu DNS6+ 30
Inteiaction Between DNS6+ anu DNSSEC 30
DNS6+ anu Reveise Mapping 31
5. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
nslookup 33
uig 35
vi | Table of Contents
Preface
I`m soiiy loi wiiting this eLook.
Vell, that`s not guite accuiate. Vhat I mean is, I`m soiiy I uiun`t have time to upuate
DNS and B|ND to incluue all this new IPv6 mateiial. DNS and B|ND ueseives a sixth
euition, Lut I`m aliaiu my scheuule is so hectic iight now that I just uon`t have time to
wiite it. Heck, I`m on a llight liom Boston to Tampa as I wiite this. (Long llights aie
gieat loi wiiting pielaces, not so gieat loi wiiting Looks aLout Inteinet technologies.
Though in-llight Inteinet access uoes help.)
This Look is essentially all the mateiial ielateu to IPv6 that I woulu have incluueu in
the sixth euition ol DNS and B|ND (anu wi||, once I get to it). It coveis how DNS was
extenueu to accommouate IPv6 auuiesses, Loth loi loiwaiu-mapping anu ieveise-
mapping. It uesciiLes how to conliguie a BIND name seivei to iun on an IPv6 netwoik
anu how to tiouLleshoot pioLlems with IPv6 loiwaiu- anu ieveise-mapping. It even
coveis DNS6+, a DNS-Laseu tiansition technology that, togethei with a companion
technology calleu NAT6+, can help islanus ol IPv6-only speaking hosts communicate
with IPv+ iesouices.
Audience
I wiote this Look loi DNS auministiatois who aie iolling out IPv6 on theii netwoiks
anu who neeu to unueistanu how to suppoit IPv6 on those netwoiks with DNS. This
eLook coveis the unueilying theoiy, incluuing the stiuctuie anu iepiesentation ol IPv6
auuiesses; the A, M, anu O llags in Routei Auveitisements anu what they mean to DNS;
as well as the nuts anu Lolts, incluuing the syntax ol AAAA iecoius anu PTR iecoius
in the ipó.arpa ieveise-mapping zone anu the syntax anu semantics ol conliguiing a
BIND name seivei.
Assumptions This Book Makes
This Look assumes that you unueistanu Lasic DNS theoiy anu BIND conliguiation. It
uoesn`t explain what a iesouice iecoiu is oi how to euit a zone uata lile, oi ieminu you
vii
that you neeu to inciement the seiial numLei ol the zone`s SOA iecoiu Leloie ieloauing
it (othei than just now)÷loi that, I highly iecommenu DNS and B|ND. But that
shoulun`t suipiise you.
The Look docsn`t assume that you know anything in paiticulai aLout IPv6, though.
Contents of This Book
This Look is oiganizeu into live chapteis as lollows:
Chaptei 1, DNS and |Pvó
This chaptei explains the motivation Lehinu the move to IPv6 anu uesciiLes the
stiuctuie anu iepiesentation ol IPv6 auuiesses. It also intiouuces the syntaxes ol
AAAA iecoius anu PTR iecoius in the ipó.arpa IPv6 ieveise-mapping zone anu
explains how to uelegate suLuomains ol ipó.arpa zones.
Chaptei 2, B|ND on |Pvó
This chaptei uesciiLes how to conliguie BIND name seiveis to iun on IPv6 net-
woiks, incluuing how to conliguie IPv6 mastei anu slave name seiveis, how to use
IPv6 auuiesses anu netwoiks in ACLs, anu how to iegistei anu uelegate to IPv6-
speaking name seiveis. The chaptei also incluues a section on special consiueia-
tions that may aiise Lecause IPv6 connectivity is not yet peivasive.
Chaptei 3, Rcso|vcr Conjiguration
This chaptei shows how to conliguie populai stuL iesolveis (Linux/Unix, Mac OS
X anu Vinuows) to gueiy IPv6-speaking name seiveis. It also coveis uynamic
conliguiation ol iesolveis using DHCPv6 anu Routei Auveitisements.
Chaptei +, DNSó1
This chaptei explains the DNS6+ tiansition technology, which allows clients with
IPv6-only netwoik stacks to communicate with IPv+ seiveis.
Chaptei 5, Troub|cshooting
This chaptei uesciiLes how to use the common ns|oo|up anu dig tiouLleshooting
tools to look up the IPv6 auuiesses ol a uomain name oi ieveise-map an IPv6
auuiess to a uomain name. It also coveis how to gueiy a name seivei`s IPv6 auuiess.
Conventions Used in This Book
The lollowing typogiaphical conventions aie useu in this Look:
Plain text
Inuicates menu titles, menu options, menu Luttons, anu keyLoaiu acceleiatois
(such as Alt anu Ctil).
|ta|ic
Inuicates new teims, URLs, email auuiesses, lilenames, lile extensions, pathnames,
uiiectoiies, anu Unix utilities.
viii | Preface
Constant width
Inuicates commanus, options, switches, vaiiaLles, attiiLutes, keys, lunctions,
types, classes, namespaces, methous, mouules, piopeities, paiameteis, values, oL-
jects, events, event hanuleis, XML tags, HTML tags, macios, the contents ol liles,
oi the output liom commanus.
Constant width bold
Shows commanus oi othei text that shoulu Le typeu liteially Ly the usei.
Constant width italic
Shows text that shoulu Le ieplaceu with usei-supplieu values.
This icon signilies a tip, suggestion, oi geneial note.
This icon inuicates a waining oi caution.
Using Code Examples
This Look is heie to help you get youi joL uone. In geneial, you may use the coue in
this Look in youi piogiams anu uocumentation. You uo not neeu to contact us loi
peimission unless you`ie iepiouucing a signilicant poition ol the coue. Foi example,
wiiting a piogiam that uses seveial chunks ol coue liom this Look uoes not ieguiie
peimission. Selling oi uistiiLuting a CD-ROM ol examples liom O`Reilly Looks uoes
ieguiie peimission. Answeiing a guestion Ly citing this Look anu guoting example
coue uoes not ieguiie peimission. Incoipoiating a signilicant amount ol example coue
liom this Look into youi piouuct`s uocumentation uoes ieguiie peimission.
Ve appieciate, Lut uo not ieguiie, attiiLution. An attiiLution usually incluues the title,
authoi, puLlishei, anu ISBN. Foi example: ¨DNS and B|ND on |Pvó Ly Ciicket Liu
(O`Reilly). Copyiight 2011 Ciicket Liu, 97S-1-++9-30519-2.¨
Il you leel youi use ol coue examples lalls outsiue laii use oi the peimission given aLove,
leel liee to contact us at pcrnissions¿orci||y.con.
Safari® Books Online
Salaii Books Online is an on-uemanu uigital liLiaiy that lets you easily
seaich ovei 7,500 technology anu cieative ieleience Looks anu viueos to
linu the answeis you neeu guickly.
Preface | ix
Vith a suLsciiption, you can ieau any page anu watch any viueo liom oui liLiaiy online.
Reau Looks on youi cell phone anu moLile uevices. Access new titles Leloie they aie
availaLle loi piint, anu get exclusive access to manusciipts in uevelopment anu post
leeuLack loi the authois. Copy anu paste coue samples, oiganize youi lavoiites, uown-
loau chapteis, Lookmaik key sections, cieate notes, piint out pages, anu Lenelit liom
tons ol othei time-saving leatuies.
O`Reilly Meuia has uploaueu this Look to the Salaii Books Online seivice. To have lull
uigital access to this Look anu otheis on similai topics liom O`Reilly anu othei puL-
lisheis, sign up loi liee at http://ny.sajariboo|son|inc.con.
How to Contact Us
Please auuiess comments anu guestions conceining this Look to the puLlishei:
O`Reilly Meuia, Inc.
1005 Giavenstein Highway Noith
SeLastopol, CA 95+72
(S00) 99S-993S (in the Uniteu States oi Canaua)
(707) S29-0515 (inteinational oi local)
(707) S29-010+ (lax)
Ve have a weL page loi this Look, wheie we list eiiata, examples, anu any auuitional
inloimation. You can access this page at:
http://www.orci||y.con/cata|og/9781119305192
To comment oi ask technical guestions aLout this Look, senu email to:
boo|qucstions¿orci||y.con
Foi moie inloimation aLout oui Looks, couises, conleiences, anu news, see oui weLsite
at http://www.orci||y.con.
Finu us on FaceLook: http://jaccboo|.con/orci||y
Follow us on Twittei: http://twittcr.con/orci||yncdia
Vatch us on YouTuLe: http://www.youtubc.con/orci||yncdia
x | Preface
Acknowledgments
Many thanks to my long-time euitoi, Mike Loukiues, loi suggesting this Look in the
liist place. (Though now he`s going to stait piessuiing me to get going on the sixth
euition ol DNS and B|ND.) Thanks also to my Loss at InloLlox, Steve Nye, who sup-
poiteu the pioject, anu to my olu liienu anu co-conspiiatoi in the Ask Mi. DNS poucast,
Matt Laison, who helps keep my DNS skills liom atiophying completely. Anu much
cieuit is uue Owen DeLong loi his excellent technical ieview.
Most ol all, though, thanks to my lamily: Valt anu Gieta, Chailie anu ]essie, anu
especially my wile, Paige. They give me Loth the time to wiite, anu the ieason.
Preface | xi
CHAPTER 1
DNS and IPv6
Background
In eaily FeLiuaiy 2011, the Inteinet Assigneu NumLeis Authoiity, oi IANA, assigneu
the last iemaining IPv+ auuiess space to the live Regional Inteinet Registiies (RIRs). As
ol this wiiting, the RIRs haven`t yet uoleu out that auuiess space to caiiieis anu othei
customeis, Lut it`s cleai that the exhaustion ol IPv+ auuiess space is imminent.
Foi most oiganizations on the Inteinet, the uepletion ol the Inteinet`s unallocateu IPv+
auuiess space won`t necessitate immeuiate changes÷IPv+ isn`t going anywheie loi the
loieseeaLle lutuie. In ceitain exceptional cases, howevei, oiganizations may neeu to
implement IPv6 almost iight away: moLile caiiieis anu ISPs seeking to expanu theii
suLsciiLei Lases, loi example, may neeu to use IPv6 loi new suLsciiLeis il they lack
auuitional IPv+ auuiess space to use loi expansion.
The Inteinet`s tiansition liom IPv+ to IPv6 has Legun. Vith the US goveinment`s man-
uate that goveinment agencies move theii netwoiks to IPv6, a giowing numLei ol useis
will access the Inteinet ovei the new piotocol, anu an incieasing numLei ol iesouices
÷weLsites, name seiveis, mail seiveis, anu moie÷will Le accessiLle via IPv6. In some
cases, some may on|y Le accessiLle ovei IPv6.
The tiansition to IPv6 will take yeais, mayLe uecaues, to complete. Touay, ol couise,
IPv6 is alieauy iouteu ovei the Inteinet: 9º ol the Inteinet`s Autonomous Systems
auveitise ioutes to Loth IPv+ anu IPv6 netwoiks. But IPv6 constitutes a tiny liaction ol
the tiallic iouteu ovei the Inteinet. Oiganizations ueploying new IPv6 netwoiks touay
neeu to implement tiansition technologies that enaLle theii IPv6-Laseu uevices to ieach
IPv+-only seivices.
Ovei time, howevei, the Lalance will shilt, anu so will the iesponsiLility. As IPv6 Le-
comes the pieuominant piotocol on the Inteinet, the iemaining pockets ol IPv+ will
neeu to accommouate IPv6, not vice veisa. I imagine the tiansition playing out some-
thing like the move liom iotaiy uialing to Touch-Tone¹; in 1963, when the switch
Legan, Touch-Tone¹ was a novelty you hau to pay extia loi. Now, ol couise, Touch-
Tone¹ is the noim (unless you`ve alieauy moveu on to VoIP) anu iotaiy uialing is a
1
cuiiosity you have to pay youi phone company moie to accommouate÷il they can still
hanule it at all.
IPv6 and DNS
The exhaustion ol the IPv+ auuiess space wasn`t unexpecteu, ol couise. The Inteinet
Engineeiing Task Foice (IETF) uevelopeu IP veision 6 in the 1990s laigely in anticipa-
tion ol this uay. Likewise, the Domain Name System was extenueu to accommouate
IPv6`s longei IP auuiesses Ly auuing new iecoiu types, anu new veisions ol name seiv-
eis, incluuing BIND, weie ieleaseu to suppoit those new iecoiu types as well as the use
ol IPv6 to tianspoit gueiies anu iesponses. At this point, all Lut ancient BIND name
seiveis suppoit IPv6, though in most cases that suppoit isn`t conliguieu oi useu. Ve`ve
just Leen waiting patiently loi the piotocol to catch on!
The ABCs of IPv6 Addresses
The most wiuely known aspect ol IPv6, anu ieally the only one that matteis to DNS,
is the length ol the IPv6 auuiess: 12S Lits, loui times as long as IPv+`s 32-Lit auuiess.
The pieleiieu iepiesentation ol an IPv6 auuiess is eight gioups ol as many as loui
hexauecimal uigits, sepaiateu Ly colons. Foi example:
2001:0db8:0123:4567:89ab:cdef:0123:4567
The liist gioup, oi quartct, ol hex uigits (2001, in this example) iepiesents the most
signilicant (oi highest-oiuei) sixteen Lits ol the auuiess. In Linaiy teims, 2001 is eguiv-
alent to 0010000000000001.
Gioups ol uigits that Legin with one oi moie zeios uon`t neeu to Le pauueu to loui
places, so you can also wiite the pievious auuiess as:
2001:db8:123:4567:89ab:cdef:123:4567
Each gioup must contain at least one uigit, though, unless you`ie using the :: notation.
The :: notation allows you to compiess seguential gioups ol zeios. This comes in hanuy
when you`ie specilying just an IPv6 pielix. Foi example:
2001:db8:dead:beef::
specilies the liist 6+ Lits ol an IPv6 auuiess as 2001:db8:dcad:bccj anu the iemaining
6+ as zeios.
You can also use :: at the Leginning ol an IPv6 auuiess to specily a sullix. Foi example,
the IPv6 loopLack auuiess is commonly wiitten as:
::1
oi 127 Lits ol zeio lolloweu Ly a single one Lit. You can even use :: in the miuule ol an
auuiess as shoithanu loi contiguous gioups ol zeios:
2001:db8:dead:beef::1
2 | Chapter 1:DNS and IPv6
You can use the :: shoithanu only once in an auuiess, since moie than one woulu Le
amLiguous.
IPv6 pielixes aie specilieu in a loimat similai to IPv+`s CIDR notation. As many Lits ol
the pielix as aie signilicant aie expiesseu in the stanuaiu IPv6 notation, lolloweu Ly a
slash anu a uecimal count ol exactly how many signilicant Lits theie aie. So the lol-
lowing loui pielix specilications aie eguivalent (though oLviously not eguivalently
teise):
2001:db8:dead:beef:0000:00f1:0000:0000/96
2001:db8:dead:beef:0:f1:0:0/96
2001:db8:dead:beef::f1:0:0/96
2001:db8:dead:beef:0:f1::/96
IPv6 is similai to IPv+ in that it suppoits vaiiaLle-length netwoik masks, anu auuiesses
aie uiviueu into netwoik anu host poitions. Howevei, in IPv6, theie aie iecommenueu
netwoik masks loi netwoiks anu suLnets: the liist +S Lits ol an IPv6 auuiess shoulu
iuentily a paiticulai enu site anu a 6+-Lit pielix shoulu iuentily one ol up to 65,536
suLnetwoiks at the site iuentilieu Ly the ¨paient¨ +S-Lit pielix. As ol this wiiting, all
gloLal unicast IPv6 auuiesses on the Inteinet (auuiesses that aie unigue anu gloLally
ioutaLle) have pielixes that Legin with the Linaiy value 001 (eguivalent to 2000::/3).
These aie assigneu Ly Regional Inteinet Registiies (RIRs) anu Inteinet seivice pioviueis.
The pielix itsell may Le hieiaichical, with an RIR iesponsiLle loi allocating highei-
oiuei Lits to vaiious ISPs, anu ISPs iesponsiLle loi allocating the lowest-oiuei Lits ol
the pielix to its customeis.
Altei the enu-site pielix, unicast IPv6 auuiesses typically contain anothei 16 Lits that
iuentily the paiticulai suLnetwoik within an enu site, calleu the subnct |D. The ie-
maining Lits ol the auuiess iuentily a paiticulai netwoik inteilace anu aie ieleiieu to
as the intcrjacc |D.
Heie`s a uiagiam that shows how these paits lit togethei:
| 48 bits | 16 bits | 64 bits |
+------------------------+-----------+----------------------------+
| prefix | subnet ID | interface ID |
+------------------------+-----------+----------------------------+
/ \
| +------------------------------------\
| 3bits | 9bits | 12-20bits | 16-24bits |
+----------+----------+--------------+--------------------------+
| IETF | IANA | RIR | RIR or ISP |
+----------+----------+--------------+--------------------------+
As you can see in the uiagiam, the +S-Lit pielix is maue up ol seveial paits. As pieviously
mentioneu, the liist thiee Lits aie assigneu Ly IETF to inuicate ¨GloLal Unicast Space.¨
The next nine Lits aie assigneu Ly IANA to a paiticulai RIR (loi example, 2620::/12 is
assigneu to ARIN, the Ameiican Registiy loi Inteinet NumLeis). The RIR then assigns
pielixes to ISPs anu enu useis ianging liom 2+ to +S Lits (the RIR contiols Letween 12
The ABCs of IPv6 Addresses | 3
anu 36 Lits). Finally, in an ISP`s auuiess space, the ISP can assign the Lits altei its RIR-
assigneu pielix up to the /+S allocateu to each customei enu site.
Coinciuentally, Movie Univeisity just aiiangeu to get IPv6 connectivity liom oui ISP.
The ISP assigneu us a /+S-sizeu IPv6 netwoik, 2001:uLS:cale::/+S, which we`ll suLnet
using the scheme just uesciiLeu into /6+-sizeu suLnetwoiks.
Vhat`s this leS0:: auuiess?
Il you`ie poking aiounu on a Unix oi Linux system with ijconjig, nct-
stat oi the like, you may notice that youi host`s netwoik inteilaces al-
ieauy have IPv6 auuiesses assigneu to them, staiting with the guaitet
¨leS0.¨ These aie link-local scopeu auuiesses, ueiiveu automatically
liom the inteilaces` haiuwaie auuiesses. The link-local scope is signil-
icant÷you can`t access these auuiesses liom anywheie Lut the local
suLnet, so uon`t use them in uelegation, nastcrs suLstatements, anu the
like. Use gloLal unicast auuiesses assigneu to the host insteau. You
pioLaLly shoulun`t even use link-local auuiesses in the conliguiation ol
iesolveis on the same suLnet il theie`s any chance that those iesolveis
will move (e.g., il they`ie on laptops oi othei moLile uevices).
IPv6 Forward and Reverse Mapping
Cleaily, DNS`s A iecoiu won`t accommouate IPv6`s 12S-Lit auuiesses; an A iecoiu`s
iecoiu-specilic uata is a 32-Lit auuiess in uotteu-octet loimat.
The IETF came up with a simple solution to this pioLlem, uesciiLeu in RFC 1SS6. A
new type ol auuiess iecoiu, AAAA, was useu to stoie a 12S-Lit IPv6 auuiess, anu a new
IPv6 ieveise-mapping uomain, ipó.int, was intiouuceu. This solution was stiaightloi-
waiu enough to implement in BIND +. Unloitunately, not eveiyone likeu the simple
solution, so they came up with a much moie complicateu one. This solution intiouuceu
the new A6 anu DNAME iecoius anu ieguiieu a complete oveihaul ol the BIND name
seivei to implement. Then, altei much aciimonious ueLate, the IETF ueciueu that the
new A6/DNAME scheme involveu too much oveiheau, was pione to lailuie, anu was
ol unpioven uselulness. At least tempoiaiily, they moveu the RFC that uesciiLes A6
iecoius oll the IETF stanuaius tiack to expeiimental status, uepiecateu the use ol
DNAME iecoius in ieveise-mapping zones, anu tiotteu olu RFC 1SS6 Lack out.
Eveiything olu is new again.
Foi now, the AAAA iecoiu is the way to hanule IPv6 loiwaiu mapping. The use ol
ipó.int is uepiecateu, howevei, mostly loi political ieasons; it`s Leen ieplaceu Ly
ipó.arpa.
4 | Chapter 1:DNS and IPv6
AAAA and ip6.arpa
The AAAA (pionounceu ¨guau A,¨ not ¨ahh!¨) iecoiu, uesciiLeu in RFC 1SS6, is a
simple auuiess iecoiu with iecoiu-specilic uata that`s loui times as long as an A iecoiu,
hence the loui As in the iecoiu type. The AAAA iecoiu takes as its iecoiu-specilic uata
the textual loimat ol an IPv6 auuiess, exactly as uesciiLeu eailiei. So loi example, you`u
see AAAA iecoius like this one:
ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab
As you can see, it`s peilectly okay to use shoitcuts in the IPv6 auuiess, incluuing uiop-
ping leauing zeioes liom guaitets anu ieplacing one oi moie contiguous guaitets ol all
zeioes with ::.
RFC 1SS6 also estaLlisheu ipó.int, now ieplaceu Ly ipó.arpa, a new ieveise-mapping
name space loi IPv6 auuiesses. Each level ol suLuomain unuei ipó.arpa iepiesents loui
Lits ol the 12S-Lit auuiess, encoueu as a hexauecimal uigit just like in the iecoiu-specilic
uata ol the AAAA iecoiu. The least signilicant (lowest-oiuei) Lits appeai at the lai lelt
ol the uomain name. Unlike the loimat ol IPv6 auuiesses in AAAA iecoius, omitting
leauing zeios is not alloweu, so theie aie always 32 hexauecimal uigits anu 32 levels ol
suLuomain Lelow ipó.arpa in a uomain name coiiesponuing to a lull IPv6 auuiess. The
uomain name that coiiesponus to the auuiess in the pievious example is:
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
These uomain names have PTR iecoius attacheu, just as the uomain names unuei
in-addr.arpa uo:
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.8.b.d.1.0.0.2.ip6.arpa. IN PTR
mash.ip6.movie.edu.
Adding AAAA Records to Forward-Mapping Zones
A anu AAAA iecoius can coexist siue-Ly-siue in any loiwaiu-mapping zone. So, loi
example, il youi host has Loth an IPv+ anu an IPv6 auuiess (commonly calleu a ¨uual-
stack¨ host), you can attach Loth A anu AAAA iecoius to its uomain name:
suckerpunch IN A 192.249.249.111
IN AAAA 2001:db8:cafe:f9::d3
Howevei, you shoulu Le caielul with that conliguiation, at least loi the time Leing.
Some cuiient iesolveis will always look up AAAA iecoius Leloie A iecoius, even il the
host iunning the iesolvei lacks the aLility to communicate with all IPv6 auuiesses (loi
example, the host only has a link-local IPv6 auuiess, oi uses some tiansition technology
that gives it limiteu IPv6 connectivity). Il you attach Loth A anu AAAA iecoius to a
single uomain name, as in the example aLove, a usei ol one ol these Lioken iesolveis
woulu neeu to wait loi his connection to the IPv6 auuiess to time out Leloie successlully
connecting to the IPv+ auuiess, which coulu take as long as a lew minutes (see¨Han-
uling Bioken Resolveis¨ in Chaptei 2 loi a mechanism to help you ueal with this).
Adding AAAA Records to Forward-Mapping Zones | 5
Until these Lioken iesolveis aie lixeu, it`s piuuent to attach A anu AAAA iecoius to
uilleient uomain names, at least loi hosts olleiing seivices:
suckerpunch IN A 192.249.249.111
suckerpunch-v6 IN AAAA 2001:db8:cafe:f9::d3
Il you like the aesthetics Lettei, you can use ¨v6¨ as a laLel in the uomain name insteau
ol as a sullix to the hostname:
suckerpunch.v6 IN AAAA 2001:db8:cafe:f9::d3
Note that this uoesn`t ieguiie that you cieate a new suLzone calleu vó.novic.cdu; a
suLuomain in the same zone will uo nicely.
IPv6 Reverse-Mapping Zones
Il you use the stanuaiu IPv6 suLnetting scheme shown in the uiagiam in ¨The ABCs ol
IPv6 Auuiesses¨, the ieveise-mapping zones that coiiesponu to youi suLnets will have
1S laLels. Foi example, the suLnet that suc|crpunch.vó.novic.cdu is on,
2001:uLS:cale:l9::/6+, woulu coiiesponu to the ieveise-mapping zone 9.j.0.0.c.j.a.c.
8.b.d.0.1.0.0.2.ipó.arpa. RememLei that DNS is case-insensitive, so we coulu also have
calleu the zone 9.I.0.0.E.I.A.C.8.B.D.0.1.0.0.2.|Pó.ARPA oi even 9.I.0.0.c.I.a.C.
8.b.D.0.1.0.0.2.iPó.aRpA, il we`u Leen leeling punchy. They all woulu have hanuleu
ieveise mapping ol IPv6 auuiesses just as well.
As with IPv+ ieveise-mapping zones, IPv6 ieveise-mapping zones mostly contain PTR
iecoius. Anu as with any zone, they must contain one SOA iecoiu anu one oi moie NS
iecoius. Heie`s what the Leginning ol that zone looks like:
$TTL 1d
@ IN SOA terminator.movie.edu. hostmaster.movie.edu. (
2011030800 ; Serial number
1h ; Refresh (1 hour)
15m ; Retry (15 minutes)
30d ; Expire (30 days)
10m ) ; Negative-caching TTL (10 minutes)
IN NS terminator.movie.edu.
IN NS wormhole.movie.edu.
3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR suckerpunch.v6.movie.edu.
4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR super8.v6.movie.edu.
Heie`s hoping that most ol youi hosts will use uynamic upuate to iegistei theii own
AAAA anu PTR iecoius, oi else you`ie going to weai out the peiiou key on youi key-
Loaiu.
Il you`ie going to auu a lot ol PTR iecoius to an IPv6 ieveise-mapping zone Ly hanu,
it`s a goou iuea to make liLeial use ol the $ORIGIN contiol statement. Foi example,
you coulu iewiite those last two PTR iecoius as:
6 | Chapter 1:DNS and IPv6
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
3.d PTR suckerpunch.v6.movie.edu.
4.d PTR super8.v6.movie.edu.
The zonc statement we auueu to the nancd.conj lile on tcrninator to conliguie it as the
piimaiy name seivei loi the ieveise-mapping zone looks like this:
zone "9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa" {
type master;
file "db.2001:db8:cafe:f9";
};
Ol couise, you can name the zone uata lile whatevei you like, Lut I suggest emLeuuing
the suLnet`s pielix in theie somewheie.
It`s pioLaLly Lest to avoiu the use ol the $GENERATE contiol statement
in IPv6 ieveise-mapping zones. Figuiing out the iight syntax to use to
geneiate PTR iecoius loi such zones is tiicky, anu it`s easy to cieate so
many PTR iecoius that you can cause youi name seivei to iun out ol
memoiy.
Delegation and Reverse-Mapping Zones
You hanule uelegation with IPv6 ieveise-mapping zones just as you woulu with IPv+
ieveise-mapping zones÷except it`s easiei in one impoitant iespect. Those ol you un-
loitunate enough to employ IPv+ suLnet masks that uon`t enu on an octet Lounuaiy
(e.g. /S, /16, anu /2+) winu up with eithei moie than one ieveise-mapping zone pei
suLnet oi multiple suLnets pei ieveise-mapping zone. Those ol you with suLnets
smallei than a /2+ may even Le loiceu to lollow RFC 2317, which is ieally unloitunate.
Vith IPv6`s stanuaiu suLnetting scheme, each suLnet can contain a whopping 2
6+
auuiesses, anu you usually get ovei 65,000 suLnets (assuming youi ISP oi RIR assigns
a lull /+S to you). Conseguently, you pioLaLly won`t linu youisell tempteu to tiy to
use a non-aligneu suLnet mask to make a suLnet just laige enough to accommouate
the connecteu hosts. You`ll cieate a /+S-sizeu ieveise-mapping zone loi youi entiie IPv6
netwoik, anu il necessaiy can uelegate /6+-sizeu suLuomains liom it.
Foi Movie Univeisity`s /+S, 2001:uLS:cale::/+S, the coiiesponuing ieveise-mapping
zone is c.j.a.c.8.b.d.0.1.0.0.2.ipó.arpa. Il we neeueu to uelegate the 2001:uLS:
cale:l9::/6+ suLnet, intiouuceu eailiei, to a uilleient set ol name seiveis, we coulu auu
uelegation like so:
$TTL 1d
@ IN SOA terminator.movie.edu. hostmaster.movie.edu. (
2011030800 ; Serial number
1h ; Refresh (1 hour)
15m ; Retry (15 minutes)
30d ; Expire (30 days)
10m ) ; Negative-caching TTL (10 minutes)
Delegation and Reverse-Mapping Zones | 7
IN NS terminator.movie.edu.
IN NS wormhole.movie.edu.
9.f.0.0 IN NS adjustmentbureau.movie.edu.
IN NS rango.movie.edu.
Ol couise, no glue auuiesses aie necessaiy, Lecause the uomain names ol the name
seiveis aien`t Lelow the uelegation point.
Built-In Empty Reverse-Mapping Zones
Theie aie guite a lew IPv6 auuiesses anu netwoiks that seive special puiposes. Foi
example, IPv6, like IPv+, has an unspecilieu auuiess (useu Ly uninitializeu netwoik
inteilaces) anu a loopLack auuiess, as well as netwoiks loi link-local auuiesses anu
moie. The latest veisions ol BIND 9 incluue Luilt-in empty veisions ol the ieveise-
mapping zones that coiiesponu to these auuiesses anu netwoiks. The zones aie empty
so that youi local BIND name seivei will iesponu to any gueiies to ieveise map these
auuiesses immeuiately with a negative answei, without loiwaiuing that gueiy oll to
the Inteinet to anothei name seivei just to get the same negative answei oi no answei
at all.
The taLle Lelow lists the Luilt-in ieveise-mapping zones, the lunctions ol the auuiesses
anu netwoiks they map to, anu the iough eguivalent in IPv+:
Reverse-mapping Zone Name Function IPv4 Equivalent
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa Unspecified IPv6 address 0.0.0.0
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa IPv6 Loopback Address 127.0.0.1
8.b.d.0.1.0.0.2.ip6.arpa IPv6 Documentation Network 192.0.2/24
d.f.ip6.arpa Unique Local Addresses 10/8, etc. (RFC
1918)
8.e.f.ip6.arpa Link-Local Addresses 169.254/16
9.e.f.ip6.arpa Link-Local Addresses 169.254/16
a.e.f.ip6.arpa Link-Local Addresses 169.254/16
b.e.f.ip6.arpa Link-Local Addresses 169.254/16
BIND is smait enough to notice il you`ve alieauy conliguieu youi own veision ol one
ol these ieveise-mapping zones (even il the zone isn`t an authoiitative zone, such as a
loiwaiu oi stuL zone), so you can easily oveiiiue BIND`s empty zones. To uisaLle
inuiviuual Luilt-in empty zones without cieating explicit zonc statements loi them, use
the disab|c-cnpty-zonc suLstatement, which takes as an aigument the uomain name ol
the zone to uisaLle:
options {
disable-empty-zone "d.f.ip6.arpa";
};
8 | Chapter 1:DNS and IPv6
To uisaLle all Luilt-in empty zones, you can use the cnpty-zoncs-cnab|c suLstatement.
By uelault, ol couise, they`ie enaLleu, so
options {
empty-zones-enable no;
};
will uisaLle them. You can use disab|c-cnpty-zonc anu cnpty-zoncs-cnab|c as eithei
options oi vicw suLstatements.
Built-In Empty Reverse-Mapping Zones | 9
CHAPTER 2
BIND on IPv6
Mouein BIND 9 name seiveis incluue complete suppoit loi IPv6, which means not
only hanuling gueiies that ask loi the IPv6 auuiesses ol a given uomain name, Lut also
iesponuing to those gueiies ovei IPv6, as well as gueiying othei name seiveis ovei IPv6.
Listening for Queries
By uelault, BIND 9 name seiveis won`t listen loi gueiies that aiiive on an IPv6 inteilace.
To tell the name seivei to listen on an IPv6 inteilace, use the |istcn-on-vó suLstatement.
The simplest loim ol this suLstatement is:
options {
listen-on-v6 { any; };
};
which instiucts the name seivei to listen loi gueiies on any IPv6 netwoik inteilaces
conliguieu on the host. Il you neeu to Le moie selective, you can specily a paiticulai
inteilace oi paiticulai inteilaces:
options {
listen-on-v6 { 2001:db8:cafe:1::1; 2001:db8:cafe:2::1; };
};
You can even negate entiies in the list anu specily entiie netwoiks, in which case the
name seivei will listen on any inteilace on the matching netwoik. Il you neeu youi
name seivei to listen on a poit othei than 53 (the uelault), specily it immeuiately altei
|istcn-on-vó. Heie`s an example that incoipoiates all ol these:
options {
listen-on-v6 port 5353 { !2001:db8:cafe:1::1; 2001:db8:cafe::/64; };
};
This conliguies the name seivei to listen on poit 5353 on all inteilaces with IPv6 au-
uiesses on the netwoik 2001:uLS:cale::/6+ (that is, the Movie U. IPv6 netwoik) except
the auuiess 2001:uLS:cale:1::1.
11
Il you neeu to have youi name seivei listen on multiple poits at the same time, just use
multiple |istcn-on-vó suLstatements. You can only use |istcn-on-vó as an options suL-
statement, since it contiols the Lehavioi ol the entiie nancd piocess.
Sending Queries
Once you`ve conliguieu a name seivei to listen on an IPv6 inteilace, the name seivei
will automatically gueiy othei name seiveis ovei IPv6 when necessaiy. The souice IP
auuiess ol these gueiies will uepenu on which inteilace the ioute to the gueiieu name
seivei points thiough. To change this Lehavioi, use the qucry-sourcc-vó suLstatement.
qucry-sourcc-vó uses a syntax that is÷somewhat liustiatingly÷uilleient liom that ol
|istcn-on-vó. The name seivei`s uelault Lehavioi, using whichevei souice IPv6 auuiess
a ioute points thiough anu whichevei gueiy poit suits it, is eguivalent to this suLstate-
ment:
options {
query-source-v6 address * port *;
};
To tell the name seivei to use a paiticulai auuiess, simply ieplace the ' altei the ad-
drcss keywoiu with a single IPv6 auuiess, like so:
options {
query-source-v6 address 2001:db8:cafe:1::1;
};
As with |istcn-on-vó, qucry-sourcc-vó can only Le useu as an options suLstatement.
You can also specily that the name seivei use a paiticulai souice poit in outgoing
gueiies÷Lut you shoulun`t. This ueleats the name seivei`s gueiy poit ianuomization,
which is a veiy impoitant weapon against cache-poisoning attacks.
More on Query Port Randomization
Evei since the uiscoveiy ol the Kaminsky vulneiaLility, BIND name seiveis have sent
gueiies liom ianuom poits to make it moie uillicult to spool iesponses to those gueiies.
Vith ianuom gueiy poits, a woulu-Le spoolei must guess which poit to senu a spooleu
iesponse to. Anu Ly uelault, BIND 9 chooses its ianuom gueiy poits liom a veiy laige
pool: liom poit 102+ to poit 65535.
Il you neeu to tell the name seivei not to use a paiticulai gueiy poit÷loi example,
Lecause ceitain poits aie Llockeu Ly youi liiewall÷use the avoid-vó-udp-ports suL-
statement, which takes a list ol poits as its aigument:
options {
avoid-v6-udp-ports { 1024; 1025; };
};
You can also specily the list ol poits to avoiu as a iange:
12 | Chapter 2:BIND on IPv6
options {
avoid-v6-udp-ports { range 1024 1025; };
};
Il loi whatevei ieason you neeu to iestiict the iange ol poits BIND uses to one smallei
than the uelault, use the usc-vó-udp-ports suLstatement, which takes the iange as an
aigument:
options {
use-v6-udp-ports { range 1024 16727; };
};
Again, Le veiy caielul, since iestiicting the iange too much will limit the ellectiveness
ol gueiy poit ianuomization.
Forcing the Use of a Particular Protocol
Occasionally, you may want to loice a name seivei not to use IPv+ oi IPv6 uespite the
lact that the host it`s iunning on has uual stacks. Foi example, you may know that
the host isn`t capaLle ol ieaching the entiie IPv6 Inteinet Lecause ol limitations in the
tiansition technology you use. In situations like this, you can tell the name seivei to
use only IPv+ oi only IPv6 with the -1 anu -ó commanu-line options, iespectively.
% named −4
tells the name seivei to use only IPv+, while
% named −6
oLviously, tells the name seivei to use only IPv6.
IPv6 Masters and Slaves
Ol couise, BIND suppoits zone tiansleis ovei IPv6, too. To conliguie a slave name
seivei to tianslei a zone liom its mastei using IPv6, just specily the mastei`s IPv6 auuiess
in the zone`s nastcrs suLstatement:
zone "movie.edu" {
type slave;
masters { 2001:db8:cafe:1::1; };
file "bak.movie.edu";
};
To make this moie ieauaLle, I suggest using the new nastcrs statement. nastcrs lets
you assign a name to a list ol mastei name seiveis, anu then ielei to that name in
zonc statements. Even il the list consists ol just a single mastei name seivei, giving it a
name will make it much easiei to iuentily:
masters terminator.movie.edu { 2001:db8:cafe:1::1; };
zone "movie.edu" {
type slave;
IPv6 Masters and Slaves | 13
masters { terminator.movie.edu; };
file "bak.movie.edu";
};
Il you want to specily a TSIG key oi even an alteinate poit on the mastei name seivei
to tianslei liom, you can specily those in the nastcrs statement:
masters terminator-and-wormhole {
2001:db8:cafe:1::1 key tsig.movie.edu;
2001:db8:cafe:2::1 port 5353 key tsig.movie.edu;
};
You can even use names uelineu in nastcrs statements with stuL zones.
Note that nastcrs is a top-level statement: you can`t use it insiue an options oi vicw
statement.
Other IPv6 Zone Transfer Controls
As you`u expect, given the thoioughness ol the goou lolks at ISC who uevelop BIND,
theie aie also IPv6 eguivalents ol the transjcr-sourcc anu notijy-sourcc suLstatements,
calleu, not suipiisingly, transjcr-sourcc-vó anu notijy-sourcc-vó. These instiuct the
name seivei to use paiticulai IPv6 souice auuiesses when initiating zone tiansleis liom
mastei name seiveis oi when senuing NOTIFY messages to slave name seiveis. These
can Le uselul when, loi example, a mastei name seivei only allows zone tiansleis ini-
tiateu liom a paiticulai IPv6 auuiess Lut the slave has multiple IPv6 auuiesses
'
, oi when
a slave only knows its mastei name seivei Ly a paiticulai IPv6 auuiess (anu theieloie
ignoies NOTIFY messages liom othei IPv6 auuiesses the mastei may have).
The uelault, ol couise, is to use the IPv6 auuiess ol whichevei inteilace the ioute to the
mastei oi slave points thiough, which is the same as:
options {
transfer-source-v6 *;
notify-source-v6 *;
};
To initiate zone tiansleis oi senu NOTIFY messages only liom a paiticulai IPv6 au-
uiess, simply ieplace ' with that auuiess, like this:
options {
transfer-source-v6 2001:db8:cafe:1::1;
notify-source-v6 2001:db8:cafe:1::1;
};
' But they ieally ought to use TSIG to secuie zone tiansleis, not IP auuiess-Laseu ACLs.
14 | Chapter 2:BIND on IPv6
IPv6 Networks and Addresses in ACLs
To suppoit IPv6, access contiol lists (ACLs) weie extenueu to allow the specilication
ol IPv6 auuiesses. Specilying IPv6 auuiesses in ACLs woiks as you`u expect it to:
acl Movie-U {
2001:db8:cafe::/48;
};
acl campus-subnets {
2001:db8:cafe:1::/64;
2001:db8:cafe:2::/64;
};
You can, ol couise, mix IPv+ anu IPv6 in the same ACL:
acl terminator {
2001:db8:cafe:1::1;
192.249.249.1;
};
Anu you can negate entiies, too, to pievent matches:
acl all-subnet-but-terminator {
!2001:db8:cafe:1::1;
2001:db8:cafe:1::/64;
};
The Luilt-in |oca|host anu |oca|ncts ACLs have also Leen enhanceu: |oca|host now in-
cluues all ol the host`s IPv6 auuiesses as well as its IPv+ auuiesses. (Note that this
typically incluues Loth a link-local auuiess anu a gloLal unicast auuiess on a name
seivei conliguieu to iun ovei IPv6.) |oca|ncts incluues IPv+ anu IPv6 netwoiks con-
necteu to the host, pioviuing the opeiating system suppoits ueteimining the pielix
length ol the host`s IPv6 auuiesses. Il it uoesn`t, |oca|ncts incluues locally connecteu
IPv+ nctwor|s Lut just the host`s IPv6 addrcsscs.
Especially with IPv6, I encouiage you to ueline anu use ACLs with intuitive names to
make youi nancd.conj liles moie ieauaLle. Theie`s a tiemenuous uilleience Letween
this:
allow-query {
192.249.249/24;
192.253.253/24;
2001:db8:cafe:1::/64;
2001:db8:cafe:2::/64;
};
anu this:
allow-query {
movie-u-internal-networks;
};
IPv6 Networks and Addresses in ACLs | 15
Registering IPv6 Name Servers
Once you`ve set up an IPv6 name seivei that`s authoiitative loi one oi moie zones, you
may want to auu the new IPv6 auuiess to those zones` uelegation inloimation. That
will ieguiie that youi paient suppoit iegistiation ol IPv6 auuiesses loi name seiveis.
Almost all top-level uomains, such as con, nct, anu org anu most laige countiy-coue
top-level uomains, such as u| anu dc, suppoit IPv6 auuiesses loi name seiveis. In most
cases, howevei, you uon`t ueal uiiectly with the auministiatois ol these uomains, Lut
iathei woik thiough an inteimeuiaiy calleu a rcgistrar. Unloitunately, not all iegistiais
suppoit iegistiation ol IPv6 auuiesses. Il youis uoesn`t, you may have no choice Lut to
tianslei youi zones to a iegistiai that uoes, oi at least thieaten to il they uon`t get theii
act togethei.
The actual piocess you use to iegistei a name seivei`s IPv6 auuiess vaiies uepenuing
on the iegistiai, Lut most goou iegistiais pioviue ieasonaLly intuitive weL-Laseu
inteilaces loi managing uelegation inloimation anu allow you to simply entei an IPv6
auuiess theie.
Il youi paient zone is manageu Ly someone else in youi oiganization÷say a netwoik
auministiatoi at youi company`s coipoiate heauguaiteis÷ask them how they`u like
the new auuiess suLmitteu. It may Le as easy as senuing them email.
Foi the time Leing, while IPv6 is still catching on, make suie that you iegistei Loth IPv+
anu IPv6 auuiesses loi youi name seiveis. Il you uon't have any IPv+÷speaking name
seiveis, most iecuisive name seiveis on the Inteinet won't Le aLle to iesolve any ol youi
uomain names.
Delegating to IPv6 Name Servers
Il you manage a paient zone (that is, you`ie the netwoik auministiatoi at youi com-
pany`s coipoiate heauguaiteis mentioneu eailiei), the auministiatois ol youi suLzones
may ask you to auu IPv6 auuiesses to theii uelegation. Doing so is stiaightloiwaiu.
Say the netwoik auministiatoi ol oui computei-geneiateu imageiy uepaitment,
cgi.novic.cdu, has just set up a new IPv6 netwoik anu wants us to auu his name seiveis`
new IPv6 auuiesses to his uelegation. Cuiiently, his uelegation looks like this:
cgi.movie.edu. IN NS avatar.cgi.movie.edu.
cgi.movie.edu. IN NS tron.cgi.movie.edu.
avatar.cgi.movie.edu. IN A 192.249.249.169
tron.cgi.movie.edu. IN A 192.253.253.169
He`s just set up the IPv6 suLnets 2001:uLS:cale:10::/6+ anu 2001:uLS:cale:11::/6+, so
altei auuing AAAA iecoius loi the two hosts, the uelegation looks like this:
cgi.movie.edu. IN NS avatar.cgi.movie.edu.
cgi.movie.edu. IN NS tron.cgi.movie.edu.
16 | Chapter 2:BIND on IPv6
avatar.cgi.movie.edu. IN A 192.249.249.169
IN AAAA 2001:db8:cafe:10::2
tron.cgi.movie.edu. IN A 192.253.253.169
IN AAAA 2001:db8:cafe:11::2
It`s woith ieiteiating heie that glue A oi AAAA iecoius aie necessaiy in uelegation
only when a suLuomain is uelegateu to a name seivei that enus in the name ol the
suLuomain (as tron.cgi.novic.cdu enus in cgi.novic.cdu). Il that`s not tiue, glue iecoius
aien`t neeueu.
Server Statements for IPv6 Name Servers
Il you neeu to tweak the way youi name seivei communicates with a paiticulai iemote
name seivei, you use the scrvcr statement. The seivei statement now suppoits IPv6
auuiesses, too, so il you wanteu to tell youi name seivei to use the TSIG key
novic.cdu.|cy when communicating with tcrninator.novic.cdu ovei IPv6, you coulu
use the lollowing seivei statement:
server 2001:db8:cafe:1::1 {
keys { movie.edu.key; };
};
Anu iememLei that the seivei statement now (since at least BIND 9.5.0) accepts the
specilication ol an entiie netwoik as an aigument, so you can conliguie how youi
name seivei communicates with a whole set ol name seiveis. Foi example, to tell youi
name seivei not to gueiy any ol the name seiveis on the Movie U. IPv6 netwoik, you
coulu use this seivei statement:
server 2001:db8:cafe::/48 {
bogus yes;
};
But why woulu you evei want to uo that?
Foi a moie complete list ol scrvcr suLstatements, see DNS and B|ND.
Special Considerations
Handling “Monolingual” Name Servers
Foi the loieseeaLle lutuie, we`ll iun Loth the IPv+ anu IPv6 piotocols in paiallel on the
Inteinet. Vhile touay, the vast majoiity ol zones aie seiveu Ly name seiveis with only
IPv+ connectivity, some uay÷hopelully soonei iathei than latei÷we`ll see zones
seiveu only Ly IPv6 name seiveis. Eithei kinu ol zone intiouuces an inteiopeiaLility
challenge, though: how can a iecuisive name seivei with only IPv6 connectivity iesolve
a uomain name in a zone seiveu only Ly IPv+ name seiveis? Anu what aLout the
conveise?
Special Considerations | 17
BIND 9 allows you to conliguie a soit ol ¨piotocol loiwaiuei¨ calleu a dua|-stac|
scrvcr loi these pooi monolingual iecuisois. Vhen a iecuisoi neeus to look up uata in
a zone seiveu only Ly name seiveis that uon`t speak the same piotocol, it simply loi-
waius that gueiy to the uual-stack seivei anu waits loi a iesponse. (The loiwaiueu
gueiy is iecuisive, otheiwise the name seivei uoing the loiwaiuing might ieceive a
ieleiial in ieply, which woulun`t help much.)
The Lasic syntax is similai to that useu to conliguie loiwaiueis:
dual-stack-servers { 192.249.249.1; 192.249.249.3; };
You can also specily the uual-stack seiveis Ly uomain name, which is a nice change:
dual-stack-servers {
terminator.movie.edu;
wormhole.movie.edu;
};
]ust make suie youi name seivei can iesolve the uomain names ol the uual-stack seiveis
to auuiesses with the one piotocol it speaks.
As a Lest piactice, howevei, it`s a goou iuea to iun youi name seiveis on uual-stack
hosts whenevei possiLle anu to use uual-stack-seiveis only when you have no othei
choice.
Handling Broken Resolvers
Incluuing suppoit loi IPv6 in a iesolvei is lauuaLle. Pieleiiing IPv6 auuiesses when
they`ie availaLle is aumiiaLly piogiessive, too. But some iesolveis will look up AAAA
iecoius even though the unueilying opeiating system can`t ieally use them. MayLe the
host uses a tunneling conliguiation that gives it limiteu IPv6 connectivity, loi example.
Vhen the iesolvei ietuins the IPv6 auuiess, anu some client soltwaie tiies to connect
to it, it can take seveial minutes loi the client to lall Lack to IPv+. Voise, the soltwaie
can incui this uelay loi eveiy connection it makes÷once loi each image that appeais
on a weL page, loi example.
Thanklully, these situations aie laiily iaie. Estimates liom Google anu Yahoo! suggest
that these iesolveis iun on Letween 0.05º to 0.07Sº ol hosts on the Inteinet. But while
that may not sounu like a lot, when you`ie uealing with a usei Lase as laige as theiis,
it iepiesents hunuieus ol thousanus ol useis.
BIND veisions 9.7.0 anu latei incluue a lilteiing mechanism loi accommouating these
iesolveis. Basically, the mechanism ueciues whethei oi not to ietuin AAAA iecoius to
a iesolvei Laseu on the piotocol ovei which the iesolvei sent its gueiy. Il the gueiy
aiiiveu ovei IPv6, that`s piool enough that the iesolvei÷anu the host it iuns on÷has
IPv6 connectivity. Il the gueiy aiiiveu ovei IPv+, though, the liltei tells the name seivei
to lie anu claim (loi the iesolvei`s own piotection, ol couise) that no AAAA iecoius
exist even loi uomain names that ieally uo own them. PiesumaLly the iesolvei then
goes on to ieguest plain olu A iecoius.
18 | Chapter 2:BIND on IPv6
This mechanism is somewhat contioveisial. Many memLeis ol the DNS community
uon`t like the iuea ol lying to iesolveis. Moieovei, lying can Lieak DNSSEC valiuation.
So the Inteinet Systems Consoitium, which uevelops BIND, makes you jump thiough
an extia hoop to use the leatuie: you neeu to compile the name seivei with the
-cnab|c-ji|tcr-aaaa option. The implicit message is, ¨Don`t use this unless you know
what you`ie uoing.¨
Il compileu with that option, the name seivei will let you specily the ji|tcr-aaaa-on-v1
options suLstatement, which takes a simple ycs oi no as an aigument:
options {
filter-aaaa-on-v4 yes;
};
You can also use ji|tcr-aaaa-on-v1 as a vicw suLstatement, to apply only to that view.
By uelault, ji|tcr-aaaa-on-v1 uoesn`t apply to gueiies with the DNSSEC OK (DO) Lit
set, Lecause those suggest that the gueiiei may peiloim DNSSEC valiuation. To ovei-
iiue this, use brca|-dnsscc as the aigument:
options {
filter-aaaa-on-v4 break-dnssec;
};
To apply lilteiing only to a suLset ol gueiieis, you can use the ji|tcr-aaaa options (anu
vicw) suLstatement, which allows you to specily the auuiesses ol gueiieis whose ie-
sponses shoulu Le lilteieu:
options {
filter-aaaa-on-v4 yes;
filter-aaaa { 192.249.249/24; };
};
Limiting the liltei (il you use it at all) is a goou piecaution, since lilteiing can have
unwanteu siue ellects. Foi example, imagine an IPv6-only iesolvei conliguieu to gueiy
a uual-stack iecuisive name seivei. Il the iecuisive name seivei sent IPv+ gueiies to an
authoiitative name seivei that uiu lilteiing, it woulu always Le tolu that no AAAA
iecoius existeu, which woulu ienuei the iesolvei unaLle to iesolve any IPv6 auuiesses!
rndc and IPv6
rndc, the iemote name uaemon contiollei, can now communicate with a BIND name
seivei ovei IPv6. This usually ieguiies conliguiation on Loth the client (i.e., rndc) siue
anu the seivei (nancd) siue.
By uelault, the name seivei will only accept connections liom rndc on the host`s IPv+
anu IPv6 loopLack auuiesses, 127.0.0.1 anu ::1, iespectively. To tell the name seivei
to listen on all ol the host`s IPv6 auuiesses, specily the IPv6 wilucaiu auuiess, ::, in the
contro| statement:
rndc and IPv6 | 19
controls {
inet ::
allow { localnets; }
keys { rndc-key; };
};
You can also specily a single auuiess to listen on:
controls {
inet 2001:db8:cafe:1::1
allow { localnets; }
keys { rndc-key; };
};
Though not ieguiieu, it`s always a goou iuea to limit incoming connections to a small
set ol auuiesses using an IP auuiess-Laseu ACL, anu it`s ciitical to use a key to secuie
the contiol channel.
To tell rndc to connect to a host`s IPv6 auuiess, you can specily the auuiess as the
aigument to the -s option:
% rndc -s 2001:db8:cafe:1::1 reload
Ol couise, il theie`s a uomain name that points to that auuiess, you can use that as the
option aigument insteau.
20 | Chapter 2:BIND on IPv6
CHAPTER 3
Resolver Configuration
Conliguiing a iesolvei to gueiy a name seivei ovei IPv6 is a piece ol cake÷assuming
the iesolvei suppoits IPv6! You can just plug the IPv6 auuiess ol a iecuisive name
seivei into the iesolvei. On a Unix-ish opeiating system, that`s usually uone in the
rcso|v.conj lile with a nancscrvcr uiiective:
nameserver 2001:db8:cafe:1::1
Il the iesolvei is on the same host as a iecuisive name seivei, you can use the IPv6
loopLack auuiess, ol couise:
nameserver ::1
Mac OS X
Vith Mac OS X, iesolvei conliguiation is uone in System Pieleiences. Click on System
Pieleiences, then on Nctwor| (unuei the Inteinet e Viieless categoiy). To conliguie
the name seiveis you use when connecteu via AiiPoit, click on AiiPoit in the list ol
netwoik inteilaces on the lelt, then click on the Auvanceu... Lutton at the lowei iight.
In the winuow that appeais, click on the DNS taL. The iesulting winuow shoulu look
like this:
21
Il youi computei has Leen assigneu a list ol name seiveis Ly a DHCP seivei, you may
linu the DNS Seiveis: section populateu. You can oveiiiue this list Ly clicking the -
Lutton Lelow the list, though. Entei one oi moie IPv6 auuiesses to gueiy the name
seiveis` IPv6 auuiesses.
To conliguie the name seiveis you use when connecteu to the Inteinet via anothei
netwoik inteilace, such as youi Mac`s Etheinet inteilace, simply choose Etheinet liom
the Netwoik panel.
Windows
Vith Vinuows 7, stait the Contiol Panel. Click on Netwoik anu Inteinet, then on
Netwoik anu Shaiing Centei. Finu the Local Aiea Connection anu click on it. The Local
Aiea Connection Piopeities winuow shoulu appeai. It looks like this:
22 | Chapter 3:Resolver Configuration
Click on Inteinet Piotocol Veision 6 (TCP/IPv6); the Inteinet Piotocol Veision 6 (TCP/
IPv6) Piopeities winuow will appeai:
Il you click on Use the lollowing DNS seivei auuiesses, you can specily the IPv6 au-
uiesses ol up to two iecuisive name seiveis.
Windows | 23
As with Mac OS X, to conliguie the name seiveis youi iesolvei gueiies when using a
uilleient netwoik inteilace, simply choose that inteilace insteau ol Local Aiea Con-
nection.
Altei ieconliguiing youi iesolvei to use IPv6, it`s a goou iuea to veiily that DNS ieso-
lution still woiks with a tool such as dig oi ns|oo|up. See the chaptei on tiouLleshooting
latei in this Look loi uetails.
Dynamic Resolver Configuration
IPv6 suppoits seveial methous loi uynamically conliguiing a host`s IP auuiess anu othei
netwoik paiameteis:
º A ¨tiauitional¨ methou, using DHCPv6, the IPv6 veision ol DHCP
º Stateless Auuiess Autoconliguiation, oi SLAAC, in which a host uses Routei Au-
veitisements to assemLle an IP auuiess appiopiiate loi use on the local netwoik
anu to ueteimine othei netwoik paiameteis
º A hyLiiu methou, in which a host uses SLAAC loi auuiess assignment Lut DHCPv6
to ueteimine othei netwoik paiameteis
In the liist anu last methous, iesolvei conliguiation involves setting the iight DHCPv6
options. In the seconu, it ieguiies setting up the coiiect Routei Auveitisement options.
But wait÷how uoes a host choose whethei to use SLAAC, DHCPv6, oi Loth? A ioutei
tells it its options with llags in its Routei Auveitisements:
º The ¨M¨ llag, loi ¨Manageu Auuiess Conliguiation,¨ tells hosts that DHCPv6 is
availaLle loi Loth auuiess assignment anu netwoik paiameteis (incluuing iesolvei
conliguiation).
º The ¨A¨ llag, loi ¨Autonomous Auuiess Conliguiation,¨ tells hosts that SLAAC is
availaLle loi auuiess assignment anu netwoik paiameteis (possiLly incluuing ie-
solvei conliguiation).
º The ¨O¨ llag, loi ¨Othei Statelul Conliguiation,¨ tells hosts that DHCPv6 is avail-
aLle loi netwoik paiameteis othei than auuiess assignment (that is, to Le useu
togethei with SLAAC in the hyLiiu methou uesciiLeu eailiei).
Note that the host has a choice ol methous to use anu can use moie than one. Foi
example, a ioutei may auveitise the availaLility ol Loth SLAAC anu DHCPv6 loi au-
uiess assignment, anu a host may get one IPv6 auuiess using SLAAC anu anothei using
DHCPv6. A host may also ieceive iesolvei conliguiation liom Loth methous, anu then
meige them. Conlusing, eh?
24 | Chapter 3:Resolver Configuration
Resolver Configuration Using DHCPv6
IPv6 suppoits uynamic conliguiation ol hosts using DHCPv6, anu natuially you can
use DHCPv6 to conliguie a iesolvei. DHCPv6 has new iesolvei conliguiation options,
though÷you can`t use the same olu DHCPv+ options to conliguie youi iesolvei ovei
DHCPv6. The new options aie:
Option Number ISC Option Name Option Argument
23 dhcp6.name-servers Comma-separated list of IPv6 addresses
24 dhcp6.domain-search Comma-separated list of domain names
Anu heie`s a snippet liom an ISC DHCP seivei`s dhcpd.conj lile to show you how the
options aie set:
option dhcp6.name-servers 2001:db8:cafe:1::1, 2001:db8:cafe:2::1;
option dhcp6.domain-search "cgi.movie.edu","movie.edu";
The aLility to set a seaich list via DHCP is new; while RFC 3397 intiouuceu a DHCPv+
option to uo that Lack in 2002, it was nevei wiuely suppoiteu Ly DHCP clients.
DHCPv6 has suppoiteu conliguiation ol the seaich list liom the Leginning, though, so
all DHCPv6 clients shoulu suppoit it.
Theie`s anothei change in DHCPv6 woith mentioning. In IPv6, DHCP comes in two
llavois: stateless anu statelul. Statelul DHCPv6 is like DHCP on IPv+: a DHCP client
can stait with nothing Lut a MAC auuiess anu have an IP auuiess plus othei netwoik
conliguiation assigneu. But stateless DHCPv6 is new anu suppoits the hyLiiu methou
ol conliguiing netwoik stacks: a DHCP client that alieauy has an IP auuiess (e.g.,
assigneu using SLAAC) can ietiieve netwoik conliguiation cxc|uding addrcss assign-
ncnt (which it uoesn`t neeu) liom a DHCPv6 seivei.
Resolver Configuration Using Router Advertisements
Routei Auveitisements oiiginally uiun`t contain any iesolvei conliguiation paiameteis,
so although hosts coulu use SLAAC to conliguie most ol theii netwoik stacks, they
coulun`t conliguie theii iesolveis. Foi that, they neeueu to use stateless DHCPv6, which
coulu pioviue the IPv6 auuiesses ol iecuisive name seiveis, as well as othei DNS-ielateu
paiameteis, such as a seaich list, as uesciiLeu in the last section. But this ieguiieu that
eveiy IPv6 suLnet Le seiveu Ly a DHCPv6 seivei, in many cases solely to pioviue
iesolvei conliguiation.
Then RFC 6106 extenueu Routei Auveitisements to suppoit the specilication ol the
IPv6 auuiesses ol iecuisive name seiveis as well as a DNS seaich list, eliminating the
neeu loi a DHCPv6 seivei in many cases.
The Routei Auveitisement option useu to conliguie a iesolvei`s name seiveis is calleu
RDNSS, loi Recuisive DNS Seivei. The option loi conliguiing a iesolvei`s seaich list
Dynamic Resolver Configuration | 25
is calleu DNSSL, loi DNS Seaich List. As the name suggests, Routei Auveitisements
aie sent Ly iouteis, so you woulu usually conliguie the options on those iouteis. Anu,
ol couise, the paiticulai syntax ieguiieu woulu vaiy uepenuing on the make ol iouteis
you ian.
I wiite ¨woulu¨ Lecause RFC 6106 is veiy new (puLlisheu in NovemLei 2010), so not
much geai suppoits it yet, though theie`s somewhat moie suppoit loi RFC 5006, a
piecuisoi to RFC 6106. (RFC 5006 intiouuceu suppoit loi the RDNSS option Lut
uiun`t incluue a way to set a seaich list.) On the seivei siue, Linux anu vaiious BSD
opeiating systems have at least some suppoit in rtadvd, the Routei Auveitisement uae-
mon. On the client siue, Mac OS X 10.7 (¨Lion¨) is iumoieu to suppoit RFC 6106.
Heie`s an example ol conliguiing the RDNSS option in rtadvd.conj, the Linux veision
ol rtadvd`s conliguiation lile
'
:
interface eth0 {
AdvSendAdvert on;
prefix 2001:db8:cafe:1::/64 {
AdvOnLink on;
AdvAutonomous on;
};
rdnss 2001:db8:cafe:1::1 {
};
};
' Note that the BSD opeiating systems use a suLstantially uilleient syntax.
26 | Chapter 3:Resolver Configuration
CHAPTER 4
DNS64
Duiing the (likely veiy long) tiansition liom IPv+ to IPv6, ISPs anu othei oiganizations
will implement new netwoiks that only suppoit IPv6. Foi the loieseeaLle lutuie,
though, clients on those netwoiks will still neeu access to seivices (e.g., weLsites) that
uon`t yet suppoit IPv6. NAT6+ anu DNS6+
'
aie a paii ol complementaiy tiansition
technologies that help pioviue that access.
NAT6+ is a lunction iun on a uual-stack host. A NAT6+ seivei accepts connections
liom clients that only speak IPv6 anu then uses its own IPv+ connectivity to commu-
nicate with IPv+-only seiveis on those clients` Lehall, then copies uata Letween the IPv+
anu IPv6 connections, ellectively ¨Liiuging¨ the IPv+ anu IPv6 netwoiks. The clients
uon`t actually iealize they`ie connecting thiough NAT6+÷they`ie leu to Lelieve that
the IPv+-only seiveis they want to communicate with suppoit IPv6 anu that they`ie
talking uiiectly to them.
How is that misuiiection achieveu? Thiough DNS÷DNS6+, in paiticulai. The IPv6-
only clients aie conliguieu to use one oi moie special name seiveis that suppoit the
DNS6+ lunction. Vhen one ol these name seiveis ieceives a gueiy liom a client loi
AAAA (IPv6 auuiess) iecoius loi some uomain name, it looks loi an answei, as it
noimally woulu. Il it uoesn`t linu any such iecoius, it tiies looking up A iecoius loi the
same uomain name. Il it linus one oi moie A iecoius, it uoesn`t ietuin them to the
client (which can`t use them, anyway, anu woulun`t accept them, since it askeu spe-
cilically loi AAAA iecoius). It ¨synthesizes¨ an egual numLei ol AAAA iecoius liom
those A iecoius, emLeuuing the 32-Lit IPv+ auuiesses in 12S-Lit IPv6 auuiesses. Now
the client Lelieves the seivei suppoits IPv6 anu that it can communicate with it uiiectly.
The client, then, tiies to connect to one ol these lictional÷ei, synthesizeu÷IPv6 au-
uiesses. How uoes the NAT6+ seivei inteicept this tiallic? Easy! The ioute to the net-
woik on which the synthesizeu IPv6 auuiess lies leaus iight to the NAT6+ seivei. The
NAT6+ seivei teiminates the IPv6 connection, extiacts the emLeuueu IPv+ auuiess,
' NAT6+ anu DNS6+ aie pionounceu as ¨NAT six loui¨ anu ¨DNS six loui,¨ iespectively÷not ¨NAT sixty-
loui¨ anu ¨DNS sixty-loui.¨
27
anu connects to the IPv+ seivei on the IPv6 client`s Lehall. This piocess is illustiateu
in Figuie +-1.
Iigurc 1-1. DNSó1 and NATó1 at Wor|
BIND veisions 9.S.0 anu latei suppoit DNS6+ with the dnsó1 options suLstatement.
dnsó1 suppoits the conliguiation ol an IPv6 pielix to which the emLeuueu IPv+ auuiess
is appenueu, as well as an optional sullix that is then appenueu to the IPv+ auuiess to
complete the 12S-Lit auuiess. (The pielix is olten 96 Lits long, in which case no sullix
is ieguiieu, oi even possiLle.) Heie`s a Lasic example:
dns64 64:ff9b::/96 {
suffix ::;
};
::, an all-zeioes sullix, is the uelault, so you can leave that suLstatement out il you like.
Now, theie aie goou ieasons that you may not want to apply DNS6+ to eveiy gueiiei.
Foi instance, you may have a community ol uual-stack clients on youi netwoik. Vhen
askeu Ly an application to linu the auuiess ol a seivei, many stuL iesolveis on uual-
stack clients will senu AAAA gueiies Leloie they senu A gueiies. Vith DNS6+ enaLleu,
such clients woulu nevei see the A iecoius ol IPv+-only seiveis; DNS6+ woulu always
ietuin synthesizeu AAAA iecoius to them, even though the clients weie peilectly
28 | Chapter 4:DNS64
capaLle ol using the seiveis` A iecoius. This, in tuin, woulu shunt tiallic thiough youi
NAT6+ inliastiuctuie unnecessaiily.
The dnsó1 statement suppoits a c|icnts suLstatement that allows you to select which
clients the DNS6+ lunction applies to. By uelault, DNS6+ applies to all clients; that is:
dns64 64:ff9b::/96 {
clients { any; };
};
But you can specily any ACL you like as an aigument. Heie`s an example:
dns64 64:ff9b::/96 {
clients { 2001:db8:cafe:1::/64; };
};
As always, it`s a goou iuea to use nameu ACLs whenevei possiLle loi claiity.
Theie aie also IPv+ netwoiks that you may not want mappeu into IPv6 auuiesses Ly
DNS6+. Foi example, il you iun a DNS6+ lunction to give youi IPv6-only clients access
to the IPv+ Inteinet, you uon`t want to emLeu any RFC 191S auuiesses that name
seiveis on the Inteinet might inauveitently ietuin. To avoiu that, use the dnsó1 nap-
pcd suLstatement. This dnsó1 statement woulu pievent DNS6+ liom mapping 10/S
auuiesses, loi example:
dns64 64:ff9b://96 {
mapped { !10/8; any; };
};
Ol couise, RFC 191S incluues moie than just 10/S.
You may notice that I use the pielix 6+:ll9L:://96 liLeially in my DNS6+
examples. That`s Lecause that netwoik is ieseiveu loi mapping IPv+
auuiesses into IPv6, anu it`s the uelault useu Ly many NAT6+ imple-
mentations. You can use a uilleient pielix il you pielei, Lut make suie
it matches what`s conliguieu on (anu iouteu to) youi NAT6+ seivei,
anu choose it liom some piivate IPv6 auuiess space (theie`s plenty ol
it) so it uoesn`t inteileie with iouting to ieal IPv6 uestinations. NAT6+
pielixes aie iestiicteu Ly RFC to /32s, /+0s, /+Ss, /56s, /6+s, oi /96s. Il
you choose a /96, a sullix is supeilluous, ol couise, Lut othei pielix
lengths allow the conliguiation ol a sullix (though again, the sullix is
optional, anu uelaults to ::). As with the pielix, make suie youi NAT6+
seivei is conliguieu with the same sullix.
Noimally, DNS6+ only applies to uomain names that uon`t have AAAA iecoius. (Il the
uomain name hau one oi moie AAAA iecoius, the name seivei woulu simply have
ietuineu them to the IPv6-only client.) But sometimes you may want the name seivei
to ignoie AAAA iecoius that contain ceitain IPv6 auuiesses anu apply DNS6+ to a
uomain name. In that case, you can use the cxc|udc suLstatement, which allows you to
DNS64 | 29
specily one oi moie IPv6 netwoiks oi auuiesses whose piesence DNS6+ shoulu ignoie
anu synthesize new AAAA iecoius anyway. Heie`s an example:
dns64 64:ff9b::/96 {
clients { 2001:db8:cafe:1::/64; };
mapped { !10/8; any; };
exclude { 64:ff9b::/96; };
};
This tells DNS6+ to ignoie any AAAA iecoius that map to IPv6 auuiesses on the net-
woik 6+:ll9L::/96 anu to look up A iecoius loi those uomain names anu synthesize
new AAAA iecoius insteau.
Authoritative Name Servers and DNS64
Vhat I`ve uesciiLeu so lai is DNS6+ as peiloimeu Ly a iecuisive name seivei, Lut
authoiitative name seiveis can implement DNS6+, too. In lact, il you conliguie youi
name seivei to uo DNS6+ anu it`s also authoiitative loi one oi moie zones, it`ll apply
DNS6+ to gueiies in those zones Ly uelault, too. In this case, the name seivei synthe-
sizes AAAA iecoius liom A iecoius in zones loi which it`s authoiitative. (Ol couise,
it`ll only uo this il no AAAA iecoius exist loi the uomain name.)
Il you want to iestiict DNS6+ to iecuisive gueiies, you can use the rccursivc-on|y suL-
statement:
dns64 64:ff9b::/96 {
recursive-only yes;
};
The uelault is to apply DNS6+ to Loth iecuisive anu noniecuisive gueiies.
Interaction Between DNS64 and DNSSEC
Altei ieauing aLout DNS6+, those ol you who have alieauy ieau DNS and B|ND`s
¨Secuiity¨ chaptei may oLject: uoesn`t the mechanism, whcn it`s wor|ing as dcsigncd,
Lieak DNSSEC? Yes, it suie can.
Imagine that a monolingual IPv6 client gueiies a iecuisive name seivei that suppoits
DNS6+ loi AAAA iecoius attacheu to a uomain name in a signeu zone. The iecuisive
name seivei looks up AAAA iecoius loi the uomain name anu linus none. Il the ie-
cuisive name seivei is conliguieu to peiloim DNSSEC valiuation anu has a valiu chain
ol tiust to the zone in guestion, it will ciyptogiaphically valiuate the negative iesponse
liom the authoiitative name seivei. Suiely it can`t lie to the client aLout an answei it
has valiuateu?
Actually, it can, anu in many cases, the client won`t notice at all. That`s Lecause most
clients uon`t peiloim valiuation themselves, Lut iely entiiely on theii iecuisive name
seiveis loi that.
30 | Chapter 4:DNS64
As a saleguaiu, howevei, a BIND name seivei uoesn`t synthesize a AAAA iesponse il
the DNSSEC OK (DO) llag was set in the gueiy. In this case, the client gueiying the
name seivei coulu Le anothei name seivei conliguieu to use it as a loiwaiuei, anu it
might Le conliguieu to peiloim valiuation. That valiuation woulu lail on any synthe-
sizeu AAAA iecoiu.
Il you`ie ieally hell-Lent on iewiiting even those iesponses, you can use the brca|-
dnsscc suLstatement:
dns64 64:ff9b://96 {
break-dnssec yes;
};
DNS64 and Reverse Mapping
Theie`s one last uetail ol DNS6+ woith mentioning: ieveise mapping. Il a client using
a name seivei conliguieu to peiloim DNS6+ tiies to ieveise-map a synthesizeu IPv6
auuiess, what happens? The name seivei in guestion iesponus with a CNAME iecoiu
pointing the uomain name useu to ieveise-map the synthesizeu IPv6 auuiess (the one
unuei ipó.arpa) to the uomain name coiiesponuing to the emLeuueu IPv+ auuiess
(unuei in-addr.arpa). So il an A iecoiu pointing to 192.16S.0.1 synthesizes a AAAA
iecoiu pointing to 6+:ll9L::192.16S.0.1 (oi 6+:ll9L::c0aS:1÷same thing), the CNAME
iecoiu looks like this:
1.0.0.0.8.a.0.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.6.4.0.0.ip6.arpa. CNAME
1.0.168.192.in-addr.arpa.
The iesult is exactly what you`u want: the synthesizeu IPv6 auuiess ieveise-maps to
whichevei uomain name the emLeuueu IPv+ auuiess maps to!
DNS64 and Reverse Mapping | 31
CHAPTER 5
Troubleshooting
TiouLleshooting IPv6-ielateu DNS pioLlems isn`t much uilleient liom tiouLleshoot-
ing othei DNS pioLlems. The main things you neeu to know aie how to specily the
IPv6 auuiess ol a name seivei to gueiy anu how to loiwaiu-map anu ieveise-map IPv6
auuiesses. I`ll show you how to use Loth ns|oo|up anu dig to peiloim these tasks.
Theie`s one impoitant thing to keep in minu with eithei gueiy tool: they uelault to
using IPv+, which means that whethei you type ns|oo|up tcrninator.novic.cdu oi dig
wornho|c.novic.cdu, the piogiam will look up A iecoius (that is, IPv+ auuiesses). You
neeu to specily AAAA iecoius explicitly to look up IPv6 auuiesses. Likewise, ns|oo|up
- tcrninator.novic.cdu will senu a gueiy to the name seivei`s IPv+ auuiess, not its IPv6
auuiess. Vith iecent veisions ol dig, dig ¿tcrninator.novic.cdu will gueiy the name
seivei`s IPv6 auuiess liist, assuming tcrninator.novic.cdu owns a AAAA iecoiu.
nslookup
Fiist, I`ll ieiteiate something we saiu in DNS and B|ND: ns|oo|up is not a gieat tiou-
Lleshooting tool loi a numLei ol ieasons. It insulates you liom the uetails ol the DNS
message anu is pione to uisplaying eiiois that aie unielateu to the gueiy you`ie intei-
esteu in, such as an inaLility to ieveise-map the auuiess ol the name seivei it`s gueiying
to a uomain name. But ns|oo|up is moie pievalent than my pieleiieu DNS tiouLle-
shooting tool, dig, so I`m oLligeu to covei it.
Fiist, to gueiy a name seivei ovei IPv6, you`ll neeu to use eithei ns|oo|up`s scrvcr
commanu oi specily the seivei`s IPv6 auuiess on the commanu line. Most people use
ns|oo|up`s inteiactive moue, which you can entei simply Ly typing ns|oo|up:
% nslookup
>
ns|oo|up uisplays the > piompt in inteiactive moue. By uelault, ns|oo|up will ieau the
local host`s rcso|v.conj lile anu gueiy the liist name seivei listeu in the lile, oi il no name
seivei is specilieu, will tiy gueiying a name seivei on the local host, as the local iesolvei
woulu. To change to gueiy a uilleient name seivei ovei IPv6, use the scrvcr commanu:
33
% nslookup
> server 2001:db8:cafe:1::1
Default server: 2001:db8:cafe:1:1
Address: 2001:db8:cafe:1:1
You can also specily the seivei Ly its uomain name, Lut il the uomain name also points
to an IPv+ auuiess, ns|oo|up will tiy to gueiy that:
% nslookup
> server terminator.movie.edu
Default server: terminator.movie.edu
Address: 192.249.249.1
Vhoops. Look at the Auuiess line. Foi situations like this, it`s a goou iuea to have a
special uomain name that points only to the name seivei`s IPv6 auuiess, like tcrninator-
vó.novic.cdu oi tcrninator.vó.novic.cdu. Then the scrvcr commanu will woik nicely:
% nslookup
> server terminator.v6.movie.edu
Default server: terminator.v6.movie.edu
Address: 2001:db8:cafe:1::1
Specilying the name seivei to gueiy Ly uomain name is a little uangei-
ous, Loth Lecause the name may not map to the auuiess you expect (as
in the example aLove) anu Lecause il you`ie using a tiouLleshooting tool
such as ns|oo|up oi dig, DNS is pioLaLly misLehaving anyway.
The last thing you want is to spenu a lot ol time tiouLleshooting a pioL-
lem only to linu that you`ie not gueiying the name seivei you thought
you weie. So il you uo specily the name seivei to gueiy Ly name, uouLle-
check its auuiess, anu il in uouLt, specily the name seivei Ly auuiess
insteau.
In ns|oo|up`s non-inteiactive moue, you can specily the seivei to gueiy altei you specily
the uomain name to look up. Foi example:
% nslookup -type=aaaa suckerpunch.movie.edu. terminator.v6.movie.edu.
Il you want to specily the seivei to gueiy Lut entei inteiactive moue, just use ¨-¨ in
place ol the uomain name to gueiy:
% nslookup - terminator.v6.movie.edu.
Finally, to loiwaiu-map anu ieveise-map IPv6 auuiesses, use the gueiy types aaaa anu
ptr, iespectively. Heie`s how you`u look up suc|crpunch.novic.cdu`s IPv6 auuiess:
% nslookup
> set q=aaaa
> suckerpunch.movie.edu.
Server: terminator.v6.movie.edu.
Address: 2001:db8:cafe:1::1#53
suckerpunch.movie.edu has AAAA address 2001:db8:cafe:f9::d3
>
34 | Chapter 5:Troubleshooting
Anu heie`s how you`u ieveise-map the auuiess. Note that you uon`t neeu to specily
the gueiy type explicitly÷ns|oo|up is smait enough to iecognize the IPv6 auuiess. You
also can use the aLLieviateu loim ol the IPv6 auuiess, uiopping leauing zeioes liom
guaitets anu using the :: shoitcut:
% nslookup
> 2001:db8:cafe:f9::d3
Server: terminator.v6.movie.edu.
Address: 2001:db8:cafe:1::1#53
3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa name =
suckerpunch.movie.edu.
Il you`ie leeling masochistic, you coulu specily all 3+ laLels ol the uomain name that
coiiesponus to the IPv6 auuiess, in which case you must explicitly change the gueiy
type to ptr:
% nslookup
> set type=ptr
> 3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
Server: terminator.v6.movie.edu.
Address: 2001:db8:cafe:1::1#53
3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa name =
suckerpunch.movie.edu.
Ol couise, you can also uo this liom the commanu line, like so:
% nslookup -type=aaaa suckerpunch.movie.edu.
anu
% nslookup 2001:db8:cafe:f9::d3
dig
The chiel uilleience Letween ns|oo|up anu dig is that dig has no inteiactive moue: you
specily eveiything at the commanu line. Anu dig is smait enough÷in most cases÷to
uilleientiate Letween uomain names anu iecoiu types, so you can specily those in
whichevei oiuei you like. To gueiy a name seivei othei than the liist one in rcso|v
.conj, type an ¿ lolloweu Ly its uomain name oi IP auuiess. As I mentioneu eailiei, il
you use a uomain name that owns Loth AAAA anu A iecoius, iecent veisions ol dig
will use the IPv6 auuiess, so:
% dig @terminator.movie.edu. soa movie.edu.
has the same ellect as
% dig @2001:db8:cafe:1::1 soa movie.edu.
To look up a AAAA iecoiu, just specily aaaa on the commanu line:
% dig aaaa suckerpunch.movie.edu.
dig | 35
oi
% dig suckerpunch.movie.edu. aaaa
Eithei way, the output will look something like this:
; <<>> DiG 9.8.0 <<>> suckerpunch.movie.edu. aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21059
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; QUESTION SECTION:
;suckerpunch.movie.edu. IN AAAA
;; ANSWER SECTION:
suckerpunch.movie.edu. 86400 IN AAAA 2001:db8:cafe:f9::d3
;; AUTHORITY SECTION:
movie.edu. 86400 IN NS terminator.movie.edu.
movie.edu. 86400 IN NS wormhole.movie.edu.
;; ADDITIONAL SECTION:
terminator.movie.edu. 86400 IN A 192.249.249.1
terminator.movie.edu. 86400 IN AAAA 2001:db8:cafe:1::1
wormhole.movie.edu. 86400 IN A 192.249.249.3
wormhole.movie.edu. 86400 IN A 192.253.253.3
wormhole.movie.edu. 86400 IN AAAA 2001:db8:cafe:2::1
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 27 19:42:46 2011
;; MSG SIZE rcvd: 219
To ieveise-map an IPv6 auuiess, avail youisell ol the hanuy -x commanu-line option,
which takes an IPv6 auuiess (iathei than its eguivalent 3+-laLel uomain name) as an
aigument:
% dig -x 2001:db8:cafe:f9::d3
One tiick suggesteu Ly Owen DeLong, one ol my technical ievieweis, is to let dig uo
the haiu woik ol cieating the 3+-laLel ownei name ol an IPv6 PTR iecoiu loi you. Foi
example, iathei than laLoiiously typing the ownei name that coiiesponus to
2620:0:930::+00:933, you coulu simply iun dig -x 2ó20:0:930::100:933:
% dig -x 2620:0:930::400:933
; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 2620:0:930::400:933
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28788
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;3.3.9.0.0.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.9.0.0.0.0.0.0.2.6.2.ip6.arpa. IN PTR
...
36 | Chapter 5:Troubleshooting
Then copy the ownei name liom the line Lelow ;; QUESTION SECTION anu paste it into
youi zone uata lile.
Like ns|oo|up, dig uigs the aLLieviateu loim ol the IPv6 auuiess. Il you want to uo it
the haiu way, you`ll have to specily the PTR gueiy type on the commanu line:
% dig ptr 3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
dig | 37