Since some time I'm running IPv6 in the lab using a hexago/go6/gogo6/gateway6 tunnel, or whatever it's called these days.
While providing v6 connectivity is the easy part, resolving names and providing an IPv6 capable DNS server to the hosts is a different story.
So first of all, v6 enabled hosts should be able to connect via v6 to a DNS server to resolve names. If they're dual-stacked they can keep going with v4, but if they're v6 only a v6 transport capable DNS is needed.
So I had to run my own DNS server. Nothing special there, BIND is included in FreeBSD, set it up to forward requests, using AARNet's and HurricaneElectric's DNS as forwarders.
But how does the DNS server announce itself to the clients? How will they get an entry in /etc/resolv.conf?
Well there are two possibilities: RFC6106 (better known as RDNSS and DNSSL options for RA) or Avahi.
Starting with FreeBSD 9.0, support for RFC6106 is included, which makes it very easy to run. On the server running the tunnel endpoint and thus rtadvd simply add the following two lines to /etc/rtadvd.conf (obviously change them to your needs):
em0:\
:rdnss="2001:db8::1":\
:dnssl="example.org":
Clients supporting RFC6106 will pick up the advertisement and add it to their resolv.conf.
Unfortunately not all clients support RFC6106, so Avahi supplies an alternative:
On the server, avahi-daemon.conf can be configured to advertise a DNS server by adding the following line:
publish-dns-servers=2001:db8::1
On the clients running Avahi, it's then necessary to run avahi-dnsconfd in order to get the server added to the resolv.conf.
So far so good, Linux (runnind RDNSSD or NetworkManager), FreeBSD 9.0 and modern MacOSX (Lion) boxes will happily accept RDNSS advertisements, older versions of the OSes can run Avahi and get a DNS server. Windows is left out unless you want to deploy a DHCPv6 server as well, which I don't at the moment.
Now a good side effect of using Avahi is that it comes with nss-mdns, which allows to resolve names in the local network via MDNS.
This comes in pretty handy, as IPv6 addresses are a bit hard to remember.
Now the perfect next step would be to have Avahi (or any other mdns client) updating the DNS server with the host names, so that hosts could be accessed directly by their name from everywhere. Unfortunately there is still some work to be done, but it could be fixed soon, by interns at CAIA.
Anyhow, for the moment it means that AAAA records have to be entered by hand into the DNS.
But there comes the next problem:
If I claim the zone "caia.swin.edu.au" in my DNS server but enter only AAAA records, I won't be able to resolve any A record anymore, as my DNS would reply with a negative answer to such queries. There would be no fallback from the client to the additional v4 DNS servers in its resolv.conf, as that only happens in the case of a timeout.
So it would be ideal to claim "caia.swin.edu.au" only for AAAA entries in my DNS, and forward any other queries to my forwarder.
Well, seems BIND can't do that, so I switched to Unbound. I actually like it, and not only because we did already collaborate with Nominet or are in touch with people from NlNet labs :-).
The reason Unbound is great is because it has the zone type typetransparent, which does exactly what I need. If the query for the RR type can be resolved locally, do it locally, otherwise forward it. As simple.
The relevant unbound.conf entry is similar to this one:
local-zone: "caia.swin.edu.au." typetransparent
local-data: "example.caia.swin.edu.au IN AAAA 2001:db8::1"
This line will resolve AAAA queries for example.caia.swin.edu.au locally, but forward A queries for example.caia.swin.edu.au to a forwarder.
You can add as many local-data entries as needed.
The forwarder needs to be configured as well:
forward-zone:
name: "."
forward-addr: 2001:db8::2
That's all you need.
Unbound also has Python bindings, which might make it quite easy to interface Avahi with Unbound as Avahi has Python bindings as well. Something worth to explore in future.
No comments:
Post a Comment