In message 7bc44907-7c33-4f7c-9868-92798b7ef...@gmail.com, Chris Buxton write
s:
Can't be done with just BIND. You need some kind of solution to strip =
out the private IPv4 address space before publishing data to the outside =
world. (Are you sure your workstations really need to have their =
routable addresses published to the outside world? Sounds dangerous to =
me.)
For example, you could write a script that would grab a copy of the =
internal zone, strip out what you don't want, and republish on an =
external-facing name server, and then run that script on a 5 minute cron =
job.
Or use dig and ixfr to get the recent changes to the internal zone and
apply the ones that match your filter the external zones.
e.g.
% dig +noall +answer ixfr=2007104570 dv.isc.org | awk -f ixfr2nsupdate
update delete sapphire.dv.isc.org. 1200IN A 192.168.1.2
update add sapphire.dv.isc.org. 1200IN A 192.168.1.2
update delete sapphire.dv.isc.org. 1200IN A 192.168.1.2
update add sapphire.dv.isc.org. 1200IN A 192.168.1.5
%
ixfr2nsupdateupdate:
BEGIN { mode=none; }
$4 == SOA {
if (mode == none) { mode = add; }
else if (mode == delete) { mode = add }
else { mode = delete };
next;
}
$4 == RRSIG || $4 == NSEC || $4 == NSEC3 || $4 == NSEC3PARAM { next }
{ print update, mode, $0 }
Mark
Chris Buxton
BlueCat Networks
On Jan 24, 2011, at 7:28 AM, Michael Himbeault wrote:
So I appear to have fallen into the cracks of stuff the internet is =
completely useless for looking up. I can't come up with any useful set =
of keywords, so here I am.
=20
I'm attempting to configure DDNS between ISC DHCPD and BIND. I want =
DDNS for both IPv4 and IPv6. I have this. Cool. Now, I want to publish =
the IPv6 DDNS mappings out to the internet at large so every host can =
have a publicly routable IP address and no one has to remember any 32 =
character addresses. I would like this to be accomplished by everyone =
hanging off of the domain.
=20
For example a computer (hostname: pinky) connects to the network, and =
now everyone on the internal network can ping either pinky or =
pinky.example.com. If they are IPv4 only, they will get pinky's IPv4 =
leased address, and if they are dual-stack or IPv6 they will get pinky's =
IPv6 address since pinky.riebart.ca will have both A and records. I =
also want anyone on the internet at large to be able to ping =
pinky.example.com and, if they are IPv6 enabled, will get replies since =
pinky's IPv6 address is publicly routable. Attempts to get an A record =
for pinky.example.com should fail.
=20
Problem is, how do I do this without polluting the internet with my =
private IPv4 DDNS mappings and without requiring an extra subdomain? The =
inside clients need to see both the IPv6 and IPv4 mappings, but the =
external queries should never see the IPv4 mappings. I can't just =
copy-past the zone files since they are both being dynamicly updated =
through DDNS. Additionally, since the DHCP client support for DHCP =
option 119 (DNS domain search list) is pretty abysmal I would really =
like to not have to put ipv4 mappings onto HOSTNAME.ipv4.example.com.
=20
Any suggestions?
=20
Thanks,
Mike ___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--Apple-Mail-64--231457544
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset=us-ascii
htmlhead/headbody style=word-wrap: break-word; -webkit-nbsp-mode: spa
ce; -webkit-line-break: after-white-space; divCan't be done with just BIN
D. You need some kind of solution to strip out the private IPv4 address space
before publishing data to the outside world. (Are you sure your workstations
really need to have their routable addresses published to the outside world?
Sounds dangerous to me.)/divdivbr/divdivFor example, you could wri
te a script that would grab a copy of the internal zone, strip out what you d
on't want, and republish on an external-facing name server, and then run that
script on a 5 minute cron job./divdivbr/divdivChris Buxton/divd
ivBlueCat Networks/divbrdivdivOn Jan 24, 2011, at 7:28 AM, Michael H
imbeault wrote:/divbr class=Apple-interchange-newlineblockquote type=
citeSo I appear to have fallen into the cracks of stuff the internet is
completely useless for looking up. I can't come up with any useful set
of keywords, so here I am.br
br
I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS
for both IPv4 and IPv6. I have this. Cool. Now, I want to publish the
IPv6 DDNS mappings out to the internet at large so every host can have a publ
icly routable IP
address and no one has to remember any 32 character addresses. I would like t
his to be accomplished by everyone hanging off
of the domain.br
br
For example a computer