Hi Dom,
On Wed, Oct 17, 2018 at 06:14:22PM +0100, Dom Latter wrote:
> Bitfolk.com says:
>
> "For IPv6 we can delegate the IPv6 reverse zones to your nameservers. We
> can also provide up to three secondary nameservers for you."
>
> and the domain is registered and has DNS provided by 123-reg. Which
> doesn't seem to know about IPv6.
The reverse zone would not be one owned by you, it is one owned by
BitFolk, which we can delegate to you, so you can manage it.
If your /64 assignment was 2001:db8:1f1:f123::/64, then the
corresponding reverse zone would be:
$ sipcalc -r 2001:db8:1f1:f123::/64
-[ipv6 : 2001:db8:1f1:f123::/64] - 0
[IPV6 DNS]
Reverse DNS (ip6.arpa) -
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa.
So the zone is actually called
"3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa". There's also plenty of
web pages that will calculate that for you if you didn't want to use
sipcalc. Or you could use dig:
$ dig +noall +question -x 2001:db8:1f1:f123::
;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR
but that does actually perform a DNS query so could potentially
cache a negative answer for some time.
Or of course you can work it out by hand. It's just the address
reversed, split by each hex digit and prepended to .ip6.arpa. But
you do have to fully expand the address first so I prefer to let a
utility do it.
So anyway, host the zone 3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa
somewhere. On your own VPS or on 123-reg or free on he.net or
whatever DNS hosting you have.
But what about its content? Its content is the same format as any
reverse DNS zone. Here is an example in BIND format:
; ----8<-----------------------------------------------------------------
; Reverse DNS zone for everything under 2001:db8:1f1:f123::
$ORIGIN 3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa.
$TTL 10800 ; 3 hours
; DNS server named in SOA record by convention is the one where the
; changes take place, but when doing a hidden master setup should
; just be any one of the secondary servers.
@ IN SOA a.ns.example.com. hostmaster.example.com. (
2018101801 ; serial
1800 ; refresh (30 mins)
900 ; retry (15 mins)
1209600 ; expire (2 weeks)
3600 ) ; minimum (20 mins)
NS a.ns.example.com.
NS b.ns.example.com.
NS c.ns.example.com.
; Example reverse DNS for 2001:db8:1f1:f123::1.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR foo.example.com.
; Example reverse DNS for 2001:db8:1f1:f123::1337.
7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0 PTR bar.example.com.
; Example reverse DNS for 2001:db8:1f1:f123::dead:beef:cafe.
e.f.a.c.f.e.e.b.d.a.e.d.0.0.0.0 PTR nomnom.example.com.
; ----8<-----------------------------------------------------------------
Again, should you not be able to work out what the label should be
(left side, before the PTR), sipcalc or dig or whatever can tell you:
$ sipcalc -r 2001:db8:1f1:f123::dead:beef:cafe
-[ipv6 : 2001:db8:1f1:f123::dead:beef:cafe] - 0
[IPV6 DNS]
Reverse DNS (ip6.arpa) -
e.f.a.c.f.e.e.b.d.a.e.d.0.0.0.0.3.2.1.f.1.f.1.0.8.b.d.0.1.0.0.2.ip6.arpa.
Your zone should load into your nameserver now, and you can test it
is working by querying your nameserver directly. In our example this
would be:
$ dig -x 2001:db8:1f1:f123::dead:beef:cafe @a.ns.example.com
which should return the answer "nomnom.example.com" but in real life
it won't because 2001:db8:: is the IPv6 documentation prefix and
a.ns.example.com is not a real nameserver.
Once your nameserver is returning correct answers for your reverse
zone, you should get at least one more nameserver to serve it. The
above example has three nameservers. If you don't have any more
nameservers then you can put in a support ticket to get three
BitFolk nameservers to serve it.
By this point you should have at least two nameservers serving your
reverse zone, but it still won't work globally because in reality
all BitFolk customers are inside 2001:ba8:1f1::/48 so BitFolk
controls the reverse zone that starts at
1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. You have to ask for a delegation
in there that points at your nameservers. You can do that from:
https://panel.bitfolk.com/dns/#toc-ipv6
In the above example, the /64 should be delegated to:
NS a.ns.example.com,b.ns.example.com,c.ns.example.com
For someone using their VPS and having BitFolk provide secondary DNS
service it might look more like:
NS yourvps.example.com,a.authns.bitfolk.co.uk,b.authns.bitfolk.com,c.authns.bitfolk.com
Or for someone using their VPS as a hidden master it might be just:
NS a.authns.bitfolk.co.uk,b.authns.bitfolk.com,c.authns.bitfolk.com
If using some third party DNS server, it is their DNS servers which
go in there.
In summary:
1. Write the zone content, in the correct zone name, and host that
zone on a DNS server that you run or have access to.
2. Make at least one more server provide secondary service, which
BitFolk can do for you if you ask.
3. Check those servers are working by directly querying them.
4. Put those server names into the DNS delegation part of the panel.
The delegation should take effect within 5 minutes, but if you
have been querying things before they were working then negative
answers may have been cached.
Does that help?
Where did you find the bit about IPv6 reverse DNS you mention above?
It should probably be pointed at
https://tools.bitfolk.com/wiki/IPv6#Reverse_DNS which has more info
but could also do with expanding based on what I just wrote above.
> Do I have any other options apart from using a different DNS provider?
>
> Or moving the domain away from 123-reg?
I don't know what 123-reg offers. Do they let you host arbitrary
zones? I assume they must do because otherwise the same problem
exists for IPv4 reverse DNS.
For example if you have 192.168.123.0/24 and wish to delegate the
reverse zone somewhere, the zone is called 123.168.192.in-addr.arpa,
which is obviously not a domain name you buy from 123-reg.
On the other hand, it's much rarer to have control of a whole zone's
worth of v4 address space so perhaps the feature is absent as
123-reg might conclude that anyone wanting to do reverse DNS for
more than 254 IPv4 addresses will be fielding their own DNS server.
I don't know.
Anyway there is no relation to whoever you bought the domain from or
whoever runs the "forward" DNS. In fact as you could have different
domain name on the right side of the PTR record for every single
IPv6 address on the left side, that is potentially up to around 2⁶⁴
different domains being mentioned in one reverse zone, each of which
might be served by any DNS servers and registered by any registrars.
I've always held that because with IPv6 you get at least a /64, you
can and should delegate the reverse DNS somewhere, and thus having
BitFolk provide individual editable reverse DNS entries is not
correct. But maybe this is just far too complicated for people and I
should relent?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
