Tuesday, March 22, 2011

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?

BIND 9.8.0 introduced a new dns64 option statement that can be configured within the server named.conf options block or within a view options block. Recall from a prior post that DNS64 configures a recursive DNS server to issue A record queries on behalf of a client requesting AAAA records, then appends the returned IPv4 address to a defined IPv6 prefix. This manufactured IPv6 address enables the querying host to connect to a NAT64 gateway which will terminate the IPv6 connection from the client and map it to an outbound IPv4 connection to the appended IPv4 address, completing the connection! Whew!

BIND offers a number of useful parameters within the dns64 statement to control this process. The statement syntax is:

dns64 IPv6_prefix {
[clients {address_match_list };]
[mapped {address_match_list };]
[exclude {address_match_list };]
[suffix IPv6_addr;]
[recursive-only (yes|no);]
[break-dnssec (yes|no);]

The IPv6_prefix parameter is the prefix to which returned IPv4 addresses shall be appended and is required.

The clients parameter indicates an address match list of clients for whom the service is provided; the default is any. This is similar to "match-clients" in a view statement.

The mapped parameter indicates which IPv4 addresses within the A resource record set shall be mapped to corresponding AAAA answers. For example, this can be used to define non-private addresses or other addresses where mapping is not desired.

The exclude parameter defines which IPv6 clients will be excluded from the DNS64 service (actual AAAA records will be returned or NXDOMAIN).

The suffix can be used to specify additional bits to include in the mapped response following the IPv4 address (default is ::). For example, if the prefix length is 64 bits and an IPv4 address is 32 bits, that leaves 32 bits that may be appended in this case.

The recursive-only parameter indicates whether to apply DNS64 mapping to recursive queries only.

The break-dnssec option will not add or remove records from the authoritative server response if set to "no" and will do so if "yes".

Another nice feature of DNS64 support in BIND is the automated creation of the ip6.arpa reverse domain corresponding to the IPv6_prefix parameter. IPv6 reverse domains can be lengthy and error-prone so this feature provides one less opportunity for error. You can specify the default contact name and server name parameters to be populated in the SOA record of each such reverse domain by using the dns64-contact and dns64-server options respectively.

No comments:

Post a Comment