<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<div class="moz-cite-prefix">On 16-Feb-22 07:38, Andrew Baker wrote:<br>
</div>
<blockquote type="cite"
cite="mid:%3CAS8P190MB1048956627E85ACC62B9BF7F8D359@AS8P190MB1048.EURP190.PROD.OUTLOOK.COM%3E">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Firstly, thanks for the advice about the
hidden master the other day, that’s now setup, working fine
and we’ve just finished transferring about 4500 records
across!<o:p></o:p></p>
<p class="MsoNormal">My software team came up this morning and
slapped me across the face with a wet fish (figuratively
speaking as It’s not Thursday yet!) by informing me that they
are developing a mobile app for one of our companies that
Apple have mandated an ipv6 DNS requirement before they
publish.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the moment, all our infrastructure from
ISP device inwards is ipv4 so setting up the zone on our DNS
is going to require a lot of significant changes! There are a
couple of things reference all this that I’m unsure about and
am hoping you can educate me on.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Firstly, we are running bind 9.11 on Debian
10 hosts. <o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l1
level1 lfo1">
Is it worth use upgrading to Debian 11 to get the newer
version of bind?<o:p></o:p></li>
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l1
level1 lfo1">
Are there any issues/bugs/holes in 9.11 that will cause us a
problem, especially if we start messing with ipv6?<o:p></o:p></li>
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l1
level1 lfo1">
If I do upgrade the on-premise servers, is it better to do
master then slaves or the other way around?<o:p></o:p></li>
<li class="MsoListParagraphCxSpLast"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l1
level1 lfo1">
If we have DNSSEC configured, is it going to break anything
upgrading? (I have lots of backups of the zones and hosts
files)<o:p></o:p></li>
</ul>
<p class="MsoNormal">Secondly, reference bind config<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l0
level1 lfo2">
For the “listen-on-v6” statement, are the only options still
‘none’ or ‘all’?<o:p></o:p></li>
<li class="MsoListParagraphCxSpMiddle"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l0
level1 lfo2">
Can the “listen-on-v6” only be enabled globally in the
‘named.conf.options’ or is it possible to enable per zone as
we are (currently) only going to have 1 zone needing ipv6?<o:p></o:p></li>
<li class="MsoListParagraphCxSpLast"
style="margin-left:-.25in;mso-add-space:auto;mso-list:l0
level1 lfo2">
Once ipv6 is enabled. Is it advisable to setup a sub-domain
for the ipv6 addresses to avoid dual-stacking?<o:p></o:p></li>
</ul>
<p class="MsoNormal">The reverse zones for our ipv4 are handled
(badly) by our local telecoms provider. How big an issue is it
going to be for ipv6 if the reverse lookups are badly/not
implemented?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If our ISP can’t give us a public ipv6
address, can we still run our bind to give out ipv6 addresses
or not?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Finally, can anyone point me towards any
good reading on bind configuration and DNS best practice
(preferably with idiot proof examples)? I must decide fairly
quickly if we roll this zone back to our domain registrar who
is setup to handle ipv6 or do we strike out and bring our DNS
setup up to date and future proofed!<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">Thanks for your time and expertise. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="RO">Andy
Baker<o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="RO"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p>You can get IPv6 via a tunnel broker. Hurricane Electric
(<a class="moz-txt-link-freetext" href="http://he.net/">http://he.net/</a>) is one of the larger ones. You can get a /48
from them - for free. Bandwidth is modest. You can setup reverse
zones; they'll delegate. I don't think they support DNSSEC - it's
been on their wishlist for years.</p>
<p>I use 9.11 (and have used previous) versions of bind with IPv6 -
no IPv6 issues.</p>
<p>Zones have nothing to do with dual stack. If you create an AAAA
record, your host can be found via IPv6. If you create an A
record, IPv4. Both gives you "dual stack". I tend to create
x.v[46].example.net style names in addition to x.example.net for
cases where I want one or the other. This doesn't require a zone
- it's just a name. <br>
</p>
<p>One reason to not configure your host with both A and AAAA
records may be that most resolvers will prefer V6, but if you have
a tunnel for V6 & a wide pipe to your ISP, you may find that
you're connecting thru the tunnel & limited by its bandwidth.</p>
<p>There is no requirement for named to listen on IPv6 for it to
serve AAAA records. That's orthogonal, and dependent on what the
resolver(s) can live with.<br>
</p>
<p>HE has a lot of IPv6 educational materials (not bind-specific)
that are quite good.</p>
<p>Depending on where you are in the world, there are other
brokers. I switched to HE when SiXXS went out of business and
have been happy. I have no other connection to HE. YMMV.</p>
<p>DNSSEC doesn't care what transport protocol is used or what
records are served. It just signs them. Moving, you do need to
make sure that the keys and delegations are present on the
receiving end. Once the move is complete, it may be a good time
to do a key roll.<br>
</p>
<p>Finally, it's not clear from your note how you're setup, but if
you run your own servers, you need to meet the geographic
dispersion rules. At least 2 servers in two places. That's true
no matter what protocols you use. There are backup DNS services
that support IPv6. A free one that supports both IPv6 and DNSSEC
is puck.nether.net/dns.<br>
</p>
<p>There are plenty of DNS books/guides. I'll let someone else do
the reviews.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
</body>
</html>