Bind with publicly routable DDNS mappings for IPv6 but not IPv4

[Michael Himbeault]

So I appear to have fallen into the cracks of stuff the internet is
completely useless for looking up. I can't come up with any useful set of
keywords, so here I am.

I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS for
both IPv4 and IPv6. I have this. Cool. Now, I want to publish the IPv6 DDNS
mappings out to the internet at large so every host can have a publicly
routable IP address and no one has to remember any 32 character addresses. I
would like this to be accomplished by everyone hanging off of the domain.

For example a computer (hostname: pinky) connects to the network, and now
everyone on the internal network can ping either pinky or pinky.example.com.
If they are IPv4 only, they will get pinky's IPv4 leased address, and if
they are dual-stack or IPv6 they will get pinky's IPv6 address since
pinky.riebart.ca will have both A and  records. I also want anyone on
the internet at large to be able to ping pinky.example.com and, if they are
IPv6 enabled, will get replies since pinky's IPv6 address is publicly
routable. Attempts to get an A record for pinky.example.com should fail.

Problem is, how do I do this without polluting the internet with my private
IPv4 DDNS mappings and without requiring an extra subdomain? The inside
clients need to see both the IPv6 and IPv4 mappings, but the external
queries should never see the IPv4 mappings. I can't just copy-past the zone
files since they are both being dynamicly updated through DDNS.
Additionally, since the DHCP client support for DHCP option 119 (DNS domain
search list) is pretty abysmal I would really like to not have to put ipv4
mappings onto HOSTNAME.ipv4.example.com.

Any suggestions?

Thanks,
Mike
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind with publicly routable DDNS mappings for IPv6 but not IPv4

[Chris Buxton]

Can't be done with just BIND. You need some kind of solution to strip out the 
private IPv4 address space before publishing data to the outside world. (Are 
you sure your workstations really need to have their routable addresses 
published to the outside world? Sounds dangerous to me.)

For example, you could write a script that would grab a copy of the internal 
zone, strip out what you don't want, and republish on an external-facing name 
server, and then run that script on a 5 minute cron job.

Chris Buxton
BlueCat Networks

On Jan 24, 2011, at 7:28 AM, Michael Himbeault wrote:

 So I appear to have fallen into the cracks of stuff the internet is 
 completely useless for looking up. I can't come up with any useful set of 
 keywords, so here I am.
 
 I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS for 
 both IPv4 and IPv6. I have this. Cool. Now, I want to publish the IPv6 DDNS 
 mappings out to the internet at large so every host can have a publicly 
 routable IP address and no one has to remember any 32 character addresses. I 
 would like this to be accomplished by everyone hanging off of the domain.
 
 For example a computer (hostname: pinky) connects to the network, and now 
 everyone on the internal network can ping either pinky or pinky.example.com. 
 If they are IPv4 only, they will get pinky's IPv4 leased address, and if they 
 are dual-stack or IPv6 they will get pinky's IPv6 address since 
 pinky.riebart.ca will have both A and  records. I also want anyone on the 
 internet at large to be able to ping pinky.example.com and, if they are IPv6 
 enabled, will get replies since pinky's IPv6 address is publicly routable. 
 Attempts to get an A record for pinky.example.com should fail.
 
 Problem is, how do I do this without polluting the internet with my private 
 IPv4 DDNS mappings and without requiring an extra subdomain? The inside 
 clients need to see both the IPv6 and IPv4 mappings, but the external queries 
 should never see the IPv4 mappings. I can't just copy-past the zone files 
 since they are both being dynamicly updated through DDNS. Additionally, since 
 the DHCP client support for DHCP option 119 (DNS domain search list) is 
 pretty abysmal I would really like to not have to put ipv4 mappings onto 
 HOSTNAME.ipv4.example.com.
 
 Any suggestions?
 
 Thanks,
 Mike ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind with publicly routable DDNS mappings for IPv6 but not IPv4

[Mark Andrews]

In message 7bc44907-7c33-4f7c-9868-92798b7ef...@gmail.com, Chris Buxton write
s:
 Can't be done with just BIND. You need some kind of solution to strip =
 out the private IPv4 address space before publishing data to the outside =
 world. (Are you sure your workstations really need to have their =
 routable addresses published to the outside world? Sounds dangerous to =
 me.)
 
 For example, you could write a script that would grab a copy of the =
 internal zone, strip out what you don't want, and republish on an =
 external-facing name server, and then run that script on a 5 minute cron =
 job.

Or use dig and ixfr to get the recent changes to the internal zone and
apply the ones that match your filter the external zones.

e.g.
% dig +noall +answer ixfr=2007104570 dv.isc.org | awk -f ixfr2nsupdate
update delete sapphire.dv.isc.org.  1200IN  A   192.168.1.2
update add sapphire.dv.isc.org. 1200IN  A   192.168.1.2
update delete sapphire.dv.isc.org.  1200IN  A   192.168.1.2
update add sapphire.dv.isc.org. 1200IN  A   192.168.1.5
% 

ixfr2nsupdateupdate:
BEGIN { mode=none; }
$4 == SOA {
if (mode == none) { mode = add; }
else if (mode == delete) { mode = add }
else { mode = delete };
next;
}
$4 == RRSIG || $4 == NSEC || $4 == NSEC3 || $4 == NSEC3PARAM { next }
{ print update, mode, $0 }

Mark
 
 Chris Buxton
 BlueCat Networks
 
 On Jan 24, 2011, at 7:28 AM, Michael Himbeault wrote:
 
  So I appear to have fallen into the cracks of stuff the internet is =
 completely useless for looking up. I can't come up with any useful set =
 of keywords, so here I am.
 =20
  I'm attempting to configure DDNS between ISC DHCPD and BIND. I want =
 DDNS for both IPv4 and IPv6. I have this. Cool. Now, I want to publish =
 the IPv6 DDNS mappings out to the internet at large so every host can =
 have a publicly routable IP address and no one has to remember any 32 =
 character addresses. I would like this to be accomplished by everyone =
 hanging off of the domain.
 =20
  For example a computer (hostname: pinky) connects to the network, and =
 now everyone on the internal network can ping either pinky or =
 pinky.example.com. If they are IPv4 only, they will get pinky's IPv4 =
 leased address, and if they are dual-stack or IPv6 they will get pinky's =
 IPv6 address since pinky.riebart.ca will have both A and  records. I =
 also want anyone on the internet at large to be able to ping =
 pinky.example.com and, if they are IPv6 enabled, will get replies since =
 pinky's IPv6 address is publicly routable. Attempts to get an A record =
 for pinky.example.com should fail.
 =20
  Problem is, how do I do this without polluting the internet with my =
 private IPv4 DDNS mappings and without requiring an extra subdomain? The =
 inside clients need to see both the IPv6 and IPv4 mappings, but the =
 external queries should never see the IPv4 mappings. I can't just =
 copy-past the zone files since they are both being dynamicly updated =
 through DDNS. Additionally, since the DHCP client support for DHCP =
 option 119 (DNS domain search list) is pretty abysmal I would really =
 like to not have to put ipv4 mappings onto HOSTNAME.ipv4.example.com.
 =20
  Any suggestions?
 =20
  Thanks,
  Mike ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 --Apple-Mail-64--231457544
 Content-Transfer-Encoding: 7bit
 Content-Type: text/html;
   charset=us-ascii
 
 htmlhead/headbody style=word-wrap: break-word; -webkit-nbsp-mode: spa
 ce; -webkit-line-break: after-white-space; divCan't be done with just BIN
 D. You need some kind of solution to strip out the private IPv4 address space
  before publishing data to the outside world. (Are you sure your workstations
  really need to have their routable addresses published to the outside world?
  Sounds dangerous to me.)/divdivbr/divdivFor example, you could wri
 te a script that would grab a copy of the internal zone, strip out what you d
 on't want, and republish on an external-facing name server, and then run that
  script on a 5 minute cron job./divdivbr/divdivChris Buxton/divd
 ivBlueCat Networks/divbrdivdivOn Jan 24, 2011, at 7:28 AM, Michael H
 imbeault wrote:/divbr class=Apple-interchange-newlineblockquote type=
 citeSo I appear to have fallen into the cracks of stuff the internet is 
 completely useless for looking up. I can't come up with any useful set 
 of keywords, so here I am.br
 br
 I'm attempting to configure DDNS between ISC DHCPD and BIND. I want DDNS
  for both IPv4 and IPv6. I have this. Cool. Now, I want to publish the 
 IPv6 DDNS mappings out to the internet at large so every host can have a publ
 icly routable IP 
 address and no one has to remember any 32 character addresses. I would like t
 his to be accomplished by everyone hanging off 
 of the domain.br
 br
 For example a computer