Automated Delegation of IP6.ARPA reverse zones with Prefix Delegation
Internet Systems Consortium
950 Charter Street
Redwood City
CA
94063
US
marka@isc.org
This document describes a method to automate the delegation of
IP6.ARPA reverse zones when performing Prefix Delegations.
This document describes a method to automate the delegation
of IP6.ARPA reverse zones when performing Prefix Delegations.
This will allow home users and small businesses to have
IP6.ARPA zones without manual intervention on the part of
the ISP.
CPE generates a RSA key pair and stores this in non-volatile
memory.
CPE generates DHCPv6 Prefix Delegation
request which includes a KEY-RDATA option (code point TBA) which
contains a the rdata of a DNS KEY record containing a RSASHA256
key using the public components of the previously generated RSA
key pair.
DHCP server updates DNS server based on the prefix it is
delegating and the KEY-RDATA using TSIG
for authentication and responds with prefix. If this is a
new prefix delegation it will clear out all the old DNS
records as part of the delegation processs. If there are
multiple prefixes being delegated the ISP's DNS server will be
updated for all of them.
The CPE device configures the nameserver built in to it to
server the reverse of the delegated prefixes. Alternatively
it may configure other nameservers to server these zones
however the method to do that is out of scope for this
document.
CPE device generates DNS UPDATE which
delegates the reverse name space to itself and others if they
have been configured. The CPE uses SIG(0)
to sign the request with owner name matching the reverse of the
delegated prefix.
The ISP's DNS server is configured to accept self signed
requests (the owner name used in the SIG(0) signature matches
the owner name of the data to be updated). It examines the
request. Looks at the KEY record added by the DHCPv6 server
and decides the request is valid.
Allocate a DHCPv6 code point for KEY-RDATA.
The UPDATE requests are all signed. This is a proven method
for securing UPDATE requests in the DNS.
As a RSA key is being used there is no issue with the key material
being in the clear.
Only the CPE device and the ISP itself is capable of creating,
updating or destroying the delegation.
Dynamic Updates in the Domain Name System (DNS UPDATE)
Secret Key Transaction Authentication for DNS (TSIG)
Secret Key Transaction Authentication for DNS (TSIG)
IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6