Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 17:23 UTC (Thu) by bronson (guest, #4806)
In reply to: Fedora mulls providing a local DNSSEC resolver by justincormack
Parent article: Fedora mulls providing a local DNSSEC resolver

Seems like ipv6 has the same problem as ipv4: what address should be selected as the magic host address?

There are plenty of potential addresses to choose from, but none appear very well suited. ipv6 just has vastly more unsuitable addresses.

Or is there something more to it that I'm missing?

to post comments

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 20:20 UTC (Thu) by Comet (guest, #11646) [Link] (5 responses)

With IPv6, anyone with a /48 allocation can feel free to say "hey, this /64 here? we're reserving it for this purpose, we guarantee to never allocate IPs for it on the wire, feel free to use it in this way".

The difference is entirely in approach and economics when a scarce resource becomes plentiful.

So if I'm handling IP allocation at RedHat and we've been allocated 2001:db8:42::/48 then I could say "2001:db8:42:d0ce::/64 is henceforth reserved for container/host links providing services from the host to containers; we won't use it, feel free to incorporate it into products".

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 11:12 UTC (Fri) by justincormack (subscriber, #70439) [Link] (4 responses)

That is not a good idea as people will expect to route stuff under 2000::/3. However there is a non externally routed ULA space for these kind of applciations http://tools.ietf.org/search/rfc4193 https://en.wikipedia.org/wiki/Unique_local_address - anyone can register a /48.

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 19:58 UTC (Fri) by Comet (guest, #11646) [Link] (3 responses)

ULA doesn't get registered, but there's a voluntary system set up by folks adding more bureaucracy in the hope that doing so will protect against people not following the randomness rules.

A key point is that all ULA is a local issue. Nobody _can_ tell you "hey, this ULA block over here should be used for purpose X" -- the uniqueness designs add some nice features, but nobody can dictate how one block should be used. By contrast, if address-space has been _assigned_ to you, then you can.

The routing is a non-issue: that's about a default handling, the whole point of reserving a block is that consenting systems can choose to handle it in a non-default way (but it doesn't impact anyone else). It even works with VMs, as the client VM routes outwards for 2000::/3 and the VM host environment routes one reserved block of that that to itself (or another VM for isolation), where there's a local DNSSEC resolver. So the traffic gets to the designated handler.

Worst case scenario, some config leaks to a system which is not set up with a local handler; sites can either treat the block as anycast and point it at something local, or let it out onto the Internet. It's then up to RH as to whether they provide a free DNSSEC resolver, provide nothing at all, or publish a blackhole route for that block via BGP.

Fedora mulls providing a local DNSSEC resolver

Posted May 24, 2014 7:32 UTC (Sat) by mbunkus (subscriber, #87248) [Link] (2 responses)

> ULA doesn't get registered, but there's a voluntary system set up by folks adding more bureaucracy in the hope that doing so will protect against people not following the randomness rules.

That's piqued my curiosity (the folks volunteering, not that they don't get registered in the first place). Could you please provide some more information or give a link to some? Thanks.

Fedora mulls providing a local DNSSEC resolver

Posted May 24, 2014 8:07 UTC (Sat) by Comet (guest, #11646) [Link] (1 responses)

https://www.sixxs.net/tools/grh/ula/

This page allows you to generate and then 'register' your IPv6 ULA (Unique Local Address) RFC4193 prefix. Note that this does not concern ULA-Central, though this system could easily handle that too. When you have registered your ULA prefix here, it allows others to check up if they accidentally generated the same prefix, before using it. This should absolutely minimize the number of collisions for ULA space. We hope that everybody using ULA prefixes register their prefixes here, to avoid these collisions.

Fedora mulls providing a local DNSSEC resolver

Posted May 25, 2014 10:50 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Right

In the same way that two corporations will try to merge and find that they had both chosen to stick loads of devices into 10.1/16 and none in 10.183/16 because humans are simultaneously stupid AND lazy, with ULA inevitably some idiots will pick values that were easy to remember or convenient for some other reason and then be "surprised" that others did the same.

If you actually use random numbers (hexadecimal dice are pretty cheap, buy a few for your network administrators) then there's no more problem with ULA collisions than with people accidentally flying a 747 into your data centres. You would need about a million randomly generated ULA organisational prefixes to be sharing a "private" network before the statistics are in favour of just one collision (because of the birthday paradox). Somewhere in the first few thousand such prefixes it's time to say "Hey, I don't think this is a private network after all" and get real IPv6 prefixes from your RIR.