• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Cert continuation

Started by UltraZero, June 12, 2011, 06:50:17 PM

Previous topic - Next topic

UltraZero

WOW...

HOLLY CRAP BATMAN......

sorry for shouting.  I hope I didn't hurt your ear drums.
I already have created 17 config files and that is just the IPv4 side.
I knew some day having way too many segments would bite me in the butt.

Tell me there is a better way to consolidate reverse zone files.
and is there a way to consolidate IPv4 and IPv6 in Bind9???

This would be nice.  Maybe in the long run, it's easier to read when each segment is
broken down per file..

johnpoz

#16
You clearly do not need to setup all your segments to pass the ipv6 cert tests.  Im at a lost to what your trying to accomplish?  You only need to setup dns for 1 domain and your ipv6 segment if you want pass your cert tests.

This would be your conf file, and 2 zone files.

Are you moving your whole networks dns to bind to pass some cert tests here on HE?

BTW -- I did not have to do anything on my local dns to get through the tests.  I just created a subdomain on my webhosts dns (which does dns for my public domains) and pointed the NS records to HE dns.  This is all that is required, you can then create your AAAA records and PTRs on their servers.

You actually have no need to actually run your own on your own network.

UltraZero

Well, I guess since this is a test (practice) I understand what you are saying, but, I kinda feel in the real world, the He.net type setup might not be there and knowing both sides makes me a more rounded person.  Even if I don't actually finish it this way, at least I have some knowledge of dealing with it. 

As to what I need to setup??  My network is a practice lab.  So, screwing it up is always an option (Except when my wife wants to use her computer and I have totally isolated her to a local segment)
(LOL)   ;D ;D or when a heavy gaming session is going on..  LOL

Most people have 1 segment which is why I think most people are able to finish the test rapidly.  No subnets to worry about, no additional routes, less ACLs to worry about and not routing protocols.   I have all that in place as well.

Re what I am doing.  I am only setting up a few segments.

Something the average bear will never experience is I actually cought a person with an IP address (from China)  trying to hack into my router.  Bonehead was actually trying to run a dictionary brute force attack on my router.  My Passwords are longer than normal.  He's not going to get in anytime soon.  This happened when I was changing he configs on the router so I didn't have an ACL up at the time.  Most people at home won't get to experience that.  Not to mention, I had another person try to crash my webserver from Russia. I blocked the whole IP range.  (based on the IP addresses)

Anyway...  back to the task at hand.

Is there a way to consolidate the reverse address zone files to consolidate the segments IPv4 and IPv6. 

Thanks

UltraZero

O.K.  After thinking about this. 

Lets ask this question.

Need I create a full DNS meaning,  and I think this is what you were saying.

Instead of me creating an IPv4 and IPv6 configs, maybe I should just create an IPv6 only.

Is that what you were basically saying about trying to chop a tree down with the blunt side of the

axe??  Why keep beating at it when a chain saw or dynamite is available??

LOL... ;D ;D

kamratanders

You don't need to seperate them. Just make sure your zonefile has an AAAA record for IPv6.

In bind:
$ORIGIN example.com.
test           IN A IPv4-Address here
               IN AAAA  IPv6-Address here

johnpoz

Ok I am even more confused now, you have 17 segments on your home/lab network?  WTF???

And hey if you want to get into bind for you local dns more power to you, I run it as a secondary server on my local network as well.. But have been using unbound package on pfsense for a while because its pretty much rocks, if he would just finish the ipv6 portion of it so I don't have to edit the unbound.inc file ;)

Are you going to be using your /48 to route multiple /64's on your network?  If so great - more power to you, just don't see the need to play with that, ie think 1 /64 has enough address to do me ;)  Couple prob give every atom of paint in my computer room its own ip with a /64 ;) hehehe

As to your hacking experiences?  Again not getting it sorry, my SSH gets attempted brute multiple times a day..  Its noise you see on the net..  Thats why you setup public key auth only, and setup fail2ban.  And yeah all kinds of worms will hit any webserver, again just noise!

As to consolidation..  Um not sure I am understanding your ?, if you have a 192.168.1.0/24 it would need its own zone file.   If you have 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 etc.. you could put them all in zone file for 192.168.0.0/16 if you wanted.  But your not going to be able to combine ipv4 and ipv6 zones no.

UltraZero

17 segments??  Well... There are a few..

After thinking about it, I am only going to setup 2 or 3.  Just wanted to work with more than 1.  I figure if I want to do them all, I can perform that later.

multiple /64s.  Yes.  I actually with the distribution of IPv6 number were a lot less numbers for nodes.  I feel with the amount of wasted numbers that are being given out, we will at some point see the same problem with IPv4 and the is we will run out of numbers.  Yes.  I know the 340 Undececillion is a crazy large number, but, with millions of IP addresses given out at a shot so some person like me who wants to play, it's crazy.  A million her a billion there.  It all adds up.   Anyway.. (theory of mine)

I don't claim any glory for being hacked.  I also know companies get hacked all the time. I just don't think the average home user has it happen to them because the average user has 1 segment, a couple of pcs and each workstation has firewall software and a hardware firewall.  Most ISPs don't allow ftp/http/smtp to occur.   I was an admin many years ago and I never saw this.  I was pretty much a server guy with Novell, Windows NT 3.5 and Windows 4.0.  No hackers tried to get into our network as per the NOC I talked to on a daily basis.   Funny though, I had more processing power back then, more back capacity, and a faster network the the 2 billion dollar company I worked for.  Go figure.  I use to run a Bulletin Board with a bunch of workstations.  That's how I got into it.  I use to own a 100 user license of Novell to support my Bulletin Board.  (OK> ) Don't get me started...

LOL..

Consolidation.   I was referring to consolidation zone information in a .db file.  Can I consolidate
segments (example) 10.10.0.0 with 10.10.40.0 with 10.10.100.0 in one zone file and not  have to break the segments out per zone file.  I have only seen sample files and read the Bind9 docs which reference 1 segment.  (I don't like docs that don't give examples of real world situations, always an single sided example and not a companies example)

As for the IPv6 zone information, It is not possible to insert A record for a nameserver and
underneath that line insert an AAAA record for the same system without having to create a seperate
AAAA zone record?

If not, I take it that also means I need a seperate Reverse zone file to boot..

Thanks

UltraZero

Did I see 2 posts..

One person said I can combine them and one person said I can't???

thanks


Johnpoz - If  you think I am crazy, go onto Youtube and type in home data center..

It's amazing what some folks have in their homes.  

I don't have anything near what some folks have.   I've talked to a person who has 30 servers in his home.  He had to install a new service panel to bring in more cooling capacity.   I've known people who  use to  have t1s in their house.  

You would be amazed   :o at what people have in their homes in the San Jose hills.  I use to work at
a computer store in San Jose and I've had customers like Compaq Executives and corporate executives who lived in the San Jose hills.  They don't play when it comes to having connection to the net.  Our little DSL or Cable modems can't compare to a person sitting on a T3 at home.   I wish I could afford it.  I'd certainly have one.  Heck, I'd have an OC192 if I could pay for it.  ::)  (1/2 a million dollars per month to have..  Could I use it??

Hmm.  I'd have one heck of a website and one heck of a game server farm..  I'd think I'd have to
create a mini co-location in my house to help pay for it.   LOL...  If i had it, HE could hook me up..

;D ;D  LOL...

pcreager

I'm not clear what you're talking about, but the term "network segment" just means a section of a LAN.  What does that have to do with DNS?  It sounds like your concern is the reverse zones; you mentioned you're using 10.x RFC 1918 space.  Reverse DNS for IPv4 goes by classful addressing.  The 10.x RFC 1918 space is a class A (10.0.0.0/8). 

If that's not enough of a clue, since the address space you are using is class A, the answer is: Yes you can do all of the 10.x network using just one single reverse zone.

johnpoz

^ exactly..

As to your IPv6 reverse working, does HE allow you to point to your own dns for the /64 they give you?  Or do you have to use theirs - when I did the test I just used their dns.

"As for the IPv6 zone information, It is not possible to insert A record for a nameserver and
underneath that line insert an AAAA record for the same system without having to create a seperate
AAAA zone record?"

what IPv6 zone??  The only time there would be an IPv6 zone is for reverse zone.  Forward zones would be based on the name, and have NOTHING to do with IPv6, other then maybe your AAAA record if you want to look at it that way.

Yes if you want a A record and AAAA record you would need to create both records in the zone file for your domain.

UltraZero

Re segments, sorry, maybe the term subnet is a better word.  Also, I used IPv4 because I wanted to see if those who worked with IPv4 DNS could answer if the two IPv4 and IPv6 could co exist in the same config files. (zone files and config files.)  Looks like in a generic installation of Bind9 under ubuntu 11.04, there is an entry for IPv6 in the named.config.local file for reverse lookup.  IPv4 is also in the same location.  That is why I was asking..

From what I was told when I emailed HE.net, the task was to create one's  own DNS server and not use theirs.  Their is there to use, but, they would prefer to us your own which is what I am trying to do.

I figured if I had to set this up with a company that didn't have HE.net, I would have more of a hands on experience seeing I have not setup DNS since the early 90s.  You know, back when there were 2 internets?  (most people don't know that)  Funny enough, I have the DNS and  BIND book which is revision 1 which doesn't discuss IPv6. 

pcreager

For reverse DNS, no you cannot combine IPv4 and IPv6.  The address formats are completely different, which you learn by going through this program.  An IPv4 reverse zone is separate from an IPv6 reverse zone.

For forward DNS, yes you can combine IPv4 and IPv6.  One forward zone can have both A and AAAA records, no problem.  Hope that helps.

pcreager

Here's an example from my own domain.  I have one zone file for my forward zone (pcv6.net), and it contains the following records:

pcv6.net.      IN   A         75.51.146.71
pcv6.net.      IN   AAAA   2001:470:1F04:1AF2::2


johnpoz

yeah I just looked on my tunnel, and yup you can delegate rDNS for your tunnel network.  But to be honest does not matter which dns answers it.. Even if you use HE dns, you still have to go in and create the zone, and the records.

The tests are not meant to test your dns setup skills, the test is to verify that you understand the principles and know how to accomplish what it is required.

If your doing IPv6 with some other company, they they would have to delegate the reverse zones to you.  Or enter in the records you need, normally end user does not have control of the reverse zone.  This is normally handled by the ISP.  HE giving you the ability to delegate to your own dns is great, and also allowing you to use their dns is also great!!

But the test is more in testing your ability to understand the principles and make it happen, does not matter if you serve it up on your own dns, or some other service.. You could just as easy delegate the zone to dnsmadeeasy.  I run a reverse zone for a public /16 using them, I get 10million requests a month for $60 a year -- there is no way I could run my own servers for anywhere close to that cost ;)

Its great you have setup dns back in the 90s,  its hasn't changed much ;)  a A record is still an A record, a PTR record is still a PTR record.. Sure AAAA are new, but thats about it ;)

UltraZero

Exactly what I thought you could do. 

Now..

Can this be done..

pcv6.net.      IN   A         75.51.146.71/24
pcv12.net.     IN   A         75.71.100.100/24               ;numbers are just made up
pcv6.net.      IN   AAAA   2001:470:1F04:1AF2::2
pcv12.net.     IN   AAAA   2001:470:1f04:1AC2::64      ;numbers are just made up

The question is that the two different IPv4 and IPv6 numbers are on differnt segment
(subnets) and I was wondering if having different subnets affects the outcome of what is
placed in a zone files or do you need to break the zone files down by subnets.

Example:  a company has 200 different networks.  Would there need to be 200 different zone files
or can all info be place in 1 file for ease of management.  (IPv4 and IPv6) 

Thanks