-
Notifications
You must be signed in to change notification settings - Fork 142
InstallDNS
Table of Contents generated with DocToc
- Prep work - Identify web server to use - Identify IP addresses to use
- Setting up DNS for falling-sky
- Validation
It is possible to deploy this to your main web server. However, you should not do this if your web server is also your DNS server. In particular we must have a distinct IP address for the "v6 only" DNS server; and this is much more complicated if your environment tries to do everything on a single box.
Strongly consider a dedicated VM instead. This VM can run the "v6 only" DNS server; and limits the fault domain such that if any one piece fails, chances are all the pieces failed anyways (Same VM). This VM will also make it easier to seek outside help if desired, since a dedicated VM won't expose your customer data.
A dedicated VM does not have to be large. Single CPU, gig of ram, 20 gigs of space is plenty for most mirrors.
This project requires 1 IPv4 address, as well as 2 IPv6 addresses. This documentation will use these for examples; search/replace to substitute your local values.
- 192.0.2.1 - Main IPv4 address. Can be shared with other virtual hosts
- 2001:db::2 - Main IPv6 address. Can be shared with other virtual hosts
- 2001:db8::1280 - PMTUD test address. Must not be shared with other virtual hosts
This can be a dedicated domain; or a sub-domain off of your existing domain. Public mirrors are encouraged to follow the naming formats seen at http://test-ipv6.com/mirrors.html .
Your existing DNS authoritative servers can be used for a part of this setup. These would be the ones serving your existing domain names.
Bind 9 is recommended.
PowerDNS has been tested with mixed results. While it can work, we found the scripted back end will not do a zone cut the way we expect and need it to.
Your IPv6-only DNS server must be different than your main DNS Servers.
Your existing DNS servers are fine for the main zones; but you must deploy a new server that is IPv6-only. Importantly, it can not be the same process or same set of IP addresses that your existing DNS servers are using.
The Simple Way
If you have a dedicated VM for this mirror, then run your new IPv6-only DNS server on the same host.
The Also Simple Way
If this is a shared web server, but does not already run DNS, then you can use this server to configure the new IPv6-only DNS server.
The Completely Painful Way
If you have no choice but to run your new IPv6-only server on the same host that already has a DNS server, then you'll have to take several steps.
- Allocate a dedicated IPv6 address for DNS to use.
- Make sure the existing DNS server is configured to listen to all addresses except the new IPv6 address.
- Configure a new DNS server instance
- Different root directory
- Different configurations, different zone files
- Only listens to the new IPv6 address
- Starts up and stops distinct from the main DNS server
You will need to identify what site name you will want this test to go on.
The primary site uses test-ipv6.com
. You might instead use
test-ipv6.example.com
or similiar. It will need to be a domain name that
you own, or a subdomain that you can control.
DNS for this domain will need to have several records. The IP addresses you indicate will need to match that of the web server you plan on using, both for IPv4 and IPv6.
Also, note, you'll need to prepare a special secondary DNS server, unrelated to the DNS servers you already operate (see a bit below).
An example of test-ipv6.com's records are below. You are welcome to copy this example, but please modify it for your DNS servers NS records, A records, and AAAA records. If you do not understand this, then please find someone who does - do not just blindly use the example directly as-is.
We have a zone file generator at http://falling-sky.github.io/fsky-dns-form/ . This can generate the zone data for you to copy/paste.
There is now a service online that can help validate your site. http://validator.test-ipv6.com/ . See [Validation] for more details.
We will use Level 3's open DNS servers (at 4.2.2.1
) to validate IPv4-typical DNS; and we will use Google's DNS servers (at 8.8.8.8
) to validate that the IPv6-only zone is reachable.
First, lets verify your main site is accessible, using Verizon's DNS servers at =4.2.2.1=
07:35 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 test-ipv6.chi.vr.org
209.177.158.226
07:36 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ds.test-ipv6.chi.vr.org a
209.177.158.226
07:36 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ds.test-ipv6.chi.vr.org aaaa
2607:f740:e::f76
07:37 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ipv6.test-ipv6.chi.vr.org aaaa
2607:f740:e::f76
07:37 PDT | jfesler@goat:~/ % dig +short @4.2.2.1 ipv4.test-ipv6.chi.vr.org a
209.177.158.226
Next, make sure that Verizon's IPv4-only DNS servers are unable to look up the IPv6-only servers. This must fail for the falling-sky code to correctly give users advice. Make sure you get back ANSWER: 0 and status: SERVFAIL.
07:40 PDT | jfesler@goat:~/ % dig @4.2.2.1 ds.v6ns.test-ipv6.chi.vr.org a
; <<>> DiG 9.4.-ESV-R4 <<>> @4.2.2.1 ds.v6ns.test-ipv6.chi.vr.org a
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48480
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org. IN A
Now try using Google's DNS server. This must succeed for the falling-sky code to correctively give users advice.
07:41 PDT | jfesler@goat:~/ % dig @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org a
; <<>> DiG 9.9.2-rpz+rl.072.23-P2 <<>> @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40487
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org. IN A
;; ANSWER SECTION:
ds.v6ns.test-ipv6.chi.vr.org. 134 IN A 209.177.158.226
;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 6 22:00:26 2013
;; MSG SIZE rcvd: 73
07:43 PDT | jfesler@goat:~/ % dig @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org aaaa
; <<>> DiG 9.9.2-rpz+rl.072.23-P2 <<>> @8.8.8.8 ds.v6ns.test-ipv6.chi.vr.org aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ds.v6ns.test-ipv6.chi.vr.org. IN AAAA
;; ANSWER SECTION:
ds.v6ns.test-ipv6.chi.vr.org. 360 IN AAAA 2607:f740:e::f76
;; Query time: 106 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 6 22:01:06 2013
;; MSG SIZE rcvd: 85
- Install - Installation Outline
- SSL-and-HTTP-2-plans
- Developers
- Community
- New Mirrors
- Working notes