Internet-Draft | IP6.ARPA with Prefix Delegation | July 2024 |
Andrews | Expires 26 January 2025 | [Page] |
This document describes a method to automate the delegation of IP6.ARPA reverse zones when performing Prefix Delegations.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 January 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document describes a method to automate the delegation of IP6.ARPA reverse zones when performing Prefix Delegations.¶
This will allow home users and small businesses to have IP6.ARPA zones without manual intervention on the part of the ISP.¶
1) CPE device generates a RSA key pair and stores this in non-volatile memory.¶
2) CPE device generates a DHCPv6 Prefix Delegation [RFC3633] request which includes a KEY-RDATA option (code point TBA), which contains a the rdata of a DNS KEY record containing a RSASHA256 key using the public components of the previously generated RSA key pair.¶
3) DHCP server updates DNS server based on the prefix it is delegating and the KEY-RDATA, using TSIG [RFC2845] for authentication, and responds with prefix. If this is a new prefix delegation, it will clear out all the old DNS records as part of the delegation process. If there are multiple prefixes being delegated the ISP's DNS server will be updated for all of them. If the delegated prefix is not nibble aligned then the server will update all the reverse apex names that cover the address space, i.e. 1, 2, 4 or 8 KEY records will be added all with the same rdata contents.¶
4) CPE device configures the nameserver built into it to serve the reverse of the delegated prefixes. Alternatively it may configure other nameservers to serve these zones, however the method to do that is out of scope for this document.¶
5) CPE device generates a DNS UPDATE [RFC2136] which delegates the reverse name space to itself and others if they have been configured. It uses SIG(0) [RFC2931] to sign the request, with owner name matching the reverse of the delegated prefix.¶
6) The ISP's DNS server is configured to accept self-signed requests (the owner name used in the SIG(0) signature matches the owner name of the data to be updated). It examines the request, looks at the KEY record added by the DHCPv6 server, and decides whether the request is valid.¶
If 2001:DB8:1:4::/62 is delegated then KEY records for¶
4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ...¶
will be added. The CPE device will configure the nameservers to serve all of the following zones¶
4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA¶
then will send individual UPDATE messages to delegate each of the reverse zones.¶
% nsupdate -k K4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send¶
Named would be configured to accept dynamic updates from both the CPE devices and from the DHCP server.¶
zone 8.B.D.0.1.0.0.2.IP6.ARPA { type primary; file "8.B.D.0.1.0.0.2.IP6.ARPA.db"; update-policy { // allow 2 KEY, 10 NS and 8 DS records to be added grant * self . KEY(2) NS(10) DS(8); // allow the DHCP server add the KEY and cleanup grant dhcp-server-key subzone KEY NS DS; }; ... };¶
Allocate a DHCPv6 code point for KEY-RDATA.¶
The UPDATE requests are all signed. This is a proven method for securing UPDATE requests in the DNS.¶
As a RSA key is being used there is no issue with key material being sent in the clear.¶
Only the CPE device and the ISP itself is capable of creating, updating or destroying the delegation.¶