> On 3 Oct 2019, at 10:49 am, Doug Barton <do...@dougbarton.us> wrote:
>
> On 10/2/19 3:03 PM, Naslund, Steve wrote:
>> The next largest hurdle is trying to explain to your server guys that you
>> are going to go with all dynamically assigned addressing now
>
> Completely false, but a very common misconception. There is nothing about
> IPv6 that prevents you from assigning static addresses.
There is also nothing stopping machines updating their addresses in the DNS
dynamically securely. Active Directory has been doing this for years with
GSS-TSIG. One can also use TSIG or SIG(0) to achieve the same thing.
Create a public key pair and store it in the DNS using a KEY record at the
entity's name. Use SIG(0) signed update requests to update the records of the
machine in the DNS as needed. This works for all record types that need to be
updated be it address records or other records. This is conceptually no
different to a administrator adding a machine to a Active Directory domain.
See RFC 2136 (UPDATE), RFC 2931 (SIG(0)).
There are also drafts describing how to add machines on a first use basis that
don’t require a administrator to add the KEY record and when combined with
TIMEOUT records (draft stage) get garbage collected. This is most useful for
home networks.
You can also add PTR records in reverse trees just by performing the update
from the matching IP address over TCP.
Have a look at the dynamic update policies supported by the DNS server.
>> and explaining to your system admin that can’t get a net mask in v4 figured
>> out, how to configure their systems for IPv6.
>
> If they only need an outbound connection, they probably don't need any
> configuration. The instructions for assigning a static address for inbound
> connections vary by OS, but I've seen a lot of them, and none of them are
> more than 10 lines long.
>
> Regarding the previous comments about all the drama of adding DNS records,
> etc.; that is what IPAM systems are for. If you're small enough that you
> don't need an IPAM for IPv4, you almost certainly don't for IPv6.
>
> IPv6 is different, but it's not any more difficult to learn than IPv4. (You
> weren't born understanding IPv4 either.)
>
> Doug
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
