InstallDNS

Jason Fesler edited this page Mar 5, 2016 · 13 revisions

Table of Contents generated with DocToc

Prep work

Identify web server to use

It is possible to deploy this to your main web server. However, you should not do this if your web server is also your DNS server. In particular we must have a distinct IP address for the "v6 only" DNS server; and this is much more complicated if your environment tries to do everything on a single box.

Strongly consider a dedicated VM instead. This VM can run the "v6 only" DNS server; and limits the fault domain such that if any one piece fails, chances are all the pieces failed anyways (Same VM). This VM will also make it easier to seek outside help if desired, since a dedicated VM won't expose your customer data.

A dedicated VM does not have to be large. Single CPU, gig of ram, 20 gigs of space is plenty for most mirrors.

Identify IP addresses to use

This project requires 1 IPv4 address, as well as 2 IPv6 addresses. This documentation will use these for examples; search/replace to substitute your local values.

  • 192.0.2.1 - Main IPv4 address. Can be shared with other virtual hosts
  • 2001:db::2 - Main IPv6 address. Can be shared with other virtual hosts
  • 2001:db8::1280 - PMTUD test address. Must not be shared with other virtual hosts

Identify a domain name to use

This can be a dedicated domain; or a sub-domain off of your existing domain. Public mirrors are encouraged to follow the naming formats seen at http://test-ipv6.com/mirrors.html .

Identify your DNS servers

Your existing DNS authoritative servers can be used for a part of this setup. These would be the ones serving your existing domain names.

Identify the DNS serving software

Bind 9 is recommended.

PowerDNS has been tested with mixed results. While it can work, we found the scripted back end will not do a zone cut the way we expect and need it to.

Identify where you will run a new DNS server at

Your IPv6-only DNS server must be different than your main DNS Servers.

Your existing DNS servers are fine for the main zones; but you must deploy a new server that is IPv6-only. Importantly, it can not be the same process or same set of IP addresses that your existing DNS servers are using.

The Simple Way

If you have a dedicated VM for this mirror, then run your new IPv6-only DNS server on the same host.

The Also Simple Way

If this is a shared web server, but does not already run DNS, then you can use this server to configure the new IPv6-only DNS server.

The Completely Painful Way

If you have no choice but to run your new IPv6-only server on the same host that already has a DNS server, then you'll have to take several steps.

  • Allocate a dedicated IPv6 address for DNS to use.
  • Make sure the existing DNS server is configured to listen to all addresses except the new IPv6 address.
  • Configure a new DNS server instance
    • Different root directory
    • Different configurations, different zone files
    • Only listens to the new IPv6 address
    • Starts up and stops distinct from the main DNS server

Setting up DNS for falling-sky

You will need to identify what site name you will want this test to go on. The primary site uses test-ipv6.com. You might instead use test-ipv6.example.com or similiar. It will need to be a domain name that you own, or a subdomain that you can control.

DNS for this domain will need to have several records. The IP addresses you indicate will need to match that of the web server you plan on using, both for IPv4 and IPv6.

Also, note, you'll need to prepare a special secondary DNS server, unrelated to the DNS servers you already operate (see a bit below).

An example of test-ipv6.com's records are below. You are welcome to copy this example, but please modify it for your DNS servers NS records, A records, and AAAA records. If you do not understand this, then please find someone who does - do not just blindly use the example directly as-is.

Zone File Generator

We have a zone file generator at http://falling-sky.github.io/fsky-dns/ . This can generate the zone data for you to copy/paste.

Validation

Online Validator

There is now a service online that can help validate your site. http://validator.test-ipv6.com/ . See [Validation] for more details.

We will use Level 3's open DNS servers (at 4.2.2.1) to validate IPv4-typical DNS; and we will use Google's DNS servers (at 8.8.8.8) to validate that the IPv6-only zone is reachable.

Manual Validation for DNS

First, lets verify your main site is accessible, using Verizon's DNS servers at =4.2.2.1=

07:35 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 test-ipv6.chi.vr.org
209.177.158.226
07:36 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ds.test-ipv6.chi.vr.org a
209.177.158.226
07:36 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ds.test-ipv6.chi.vr.org aaaa
2607:f740:e::f76
07:37 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ipv6.test-ipv6.chi.vr.org aaaa 
2607:f740:e::f76
07:37 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ipv4.test-ipv6.chi.vr.org a   
209.177.158.226

Next, make sure that Verizon's IPv4-only DNS servers are unable to look up the IPv6-only servers. This must fail for the falling-sky code to correctly give users advice. Make sure you get back ANSWER: 0 and status: SERVFAIL.

07:40 PDT | jfesler@goat:~/ % dig @4.2.2.1 ds.v6ns.test-ipv6.chi.vr.org a

; <<>> DiG 9.4.-ESV-R4 <<>> @4.2.2.1 ds.v6ns.test-ipv6.chi.vr.org a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48480
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org.  IN      A


Now try using Google's DNS server. This must succeed for the falling-sky code to correctively give users advice.

07:41 PDT | jfesler@goat:~/ % dig @8.8.8.8  ds.v6ns.test-ipv6.chi.vr.org a


; <<>> DiG 9.9.2-rpz+rl.072.23-P2 <<>> @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40487
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org.  IN      A

;; ANSWER SECTION:
ds.v6ns.test-ipv6.chi.vr.org. 134 IN    A       209.177.158.226

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May  6 22:00:26 2013
;; MSG SIZE  rcvd: 73

07:43 PDT | jfesler@goat:~/ % dig @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org aaaa 

; <<>> DiG 9.9.2-rpz+rl.072.23-P2 <<>> @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org.  IN      AAAA

;; ANSWER SECTION:
ds.v6ns.test-ipv6.chi.vr.org. 360 IN    AAAA    2607:f740:e::f76

;; Query time: 106 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May  6 22:01:06 2013
;; MSG SIZE  rcvd: 85