ipv6 dynamic reverse mapping - internodeusers.on.net/~rmibus/pymds/ipv6-auto-rdns.pdfdownload:...

Download: http://users.on.net/~rmibus/pymds/

IPv6 Dynamic Reverse Mapping

The magic, misery, and mayhem!


Me

● Background:● Ex-developer● SysAdmin

● Interests● IPv6...● ...Asterisk/VoIP, monitoring, MythTV, SMTP, scale-

out, DNS, …


Internode

● Early leaders in ADSL2+ and IPv6 deployments● ...and pioneers globally routable toasters


IPv6 addressing vs v4

● 192.231.203.132

● 2001:44b8:0001:0000:0000:0000:0000:0001

● 2001:44b8:1::1


'Forwards' DNS

● How do I get to www.internode.on.net?


'Forwards' DNS

● www.internode.on.net ● “A” lookup – IPv4● “AAAA” lookup - IPv6● Why “AAAA”?● Yo Address So Fat...


Reverse DNS

● “PTR” lookup

● 132.203.231.192.in-addr.arpa

● 1.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.0. 0.0.0.0.1.0.0.0. 8.b.4.4.1.0.0.2 .ip6.arpa.


THE NEED - Why rDNS

● SMTP servers● Neatness● Can make it a bit more recognisable● We were asked


Internode IPv4 rDNS

● Largely a manual process● Statically-generated● Residential customers don't get a choice on

names● Different naming schemes

● Next allocation, we'll... oh.


THE PROBLEM – addresses!

● Each customer has 4722366482869645213696 IPs

● 4B TB at 1 byte each● Internal vs external IPs – no difference● More address churn, no notification to us


● What does our software do now?● Can we stand on some shoulders?

● http://hyse.org/v6rev/

● https://github.com/endreszabo/PowerDNS-Dynamic-Reverse-Backend

● Later additions● http://end.re/2011/05/17/thoughts-on-ipv6-reverse-dns-address-mapping-for-the-masses/

● https://github.com/jpmens/dlz_lua

Procedural generation mandatory

http://hyse.org/v6rev/

https://github.com/endreszabo/PowerDNS-Dynamic-Reverse-Backend

http://end.re/2011/05/17/thoughts-on-ipv6-reverse-dns-address-mapping-for-the-masses/

https://github.com/jpmens/dlz_lua


BIND?

● $GENERATE macro – No● DLZ – patch compile patch compile …

● We need fast BIND deployments for security● Still need to write a backend


So, why not those?

● Nothing seemed right. ● (NIH? Hope not! :)

● We don't use PowerDNS● Still needs delegation handled easily● Not Invented Yet


REQUIREMENT: Delegation...

● IPv4; 1-10 entries per customer (usually 1)● IPv6... not so much.● Also, static IPv6 for all.● Solution: Don't host, delegate.


What does it look like? (1)

● 2001:db8:1234:5600::7891:2345● 1234-5600-0000-0000-7891-

2345.nsw.internode.on.net● Includes location.● Skips 2001:db8:: prefix



● 2001:db8:1234:5600::7891:2345● 1234-5600—7891-

2345.static.internode.on.net● Compression isn't necessarily canonical.



● 2001:db8:1234:5600::7891:2345● 20010db8123456000000000078912345.n

sw.ipv6.internode.on.net● Miss a digit...



● 2001:db8:1234:5600::7891:2345● 15vxztvgj89.ipv6.internode.on.net● Base36!● A popular contender in the last year● (Notably, that also happens to be the

combination on my luggage)


What ended up happening

● 2001-0db8-1234-5600-0000-0000-7891-2345.static.ipv6.internode.on.net

● No location● Prefix is kept● Whole static.ipv6.* domain just for

automatically-mapped IPv6 names.


Slithering into PoC

● Proof of Concept was in Python... and in production.

● Stunningly easy to learn/use.● Fails well

● eg. Bounds check exception leads to SERVFAIL.● Downsides to Python?

● Performance?● Internal Support


Sidebar #1: DNS Integration● “forwarding” - reverse-proxy for DNS

● TTLs drop off, cached by BIND nameservers● “magic” servers are hidden● Not RFC compliant (“AA” field is not returned)

● Delegation● “Proper” way of saying “Go there for this zone”● Just like what our customers want for their IP allocations● Can still host a zone ourselves...


THE SOLUTION: pymds

● Existing, modular, standalone Python nameserver: pymds

● Add new backend for IPv6 auto-mapping● Plugin for handling delegations● SysAdmin stuff● Deploy it for ~200,000 customers


pymds, prettified

● by Tom Pinckney

Internet pymds

Backend Plugins


pymds: Backends

● Existing backend: file.● New backend: autogen.


pymdsautogen.py

● Started with string munging● Ended with part munging, part regexes● Python's “re” is good to work with● Uses python-ipaddr module too

● Address sanity● Binary representation


THE CODE“query” is a list of name components under the zone we're handling

------------------------------------------------addr = ipaddr.IPv6Address(query.replace('-',':'))

...= addr.packed

------------------------------------------------query.reverse()

raw_data = string.join(list(self.v6prefix) + query,'')

# Turn 20010db812341234... into 2001-0db8-1234-1234-...

data = re.sub('(....)', r'\1-', raw_data, 7)

… = ([data] + self.basedomain)


You forgot delegations!● Let's just do it in BIND

● Can't add to master reverse zone file● Make smaller (overlapping) zones for the customer's range,

and put NS records inside to delegate● Lots of new records, though wildcard can help● New zone per customer delegation

● Hack it in to the IPv6 automagic backend!

● Maybe not, then?


Delegations, cleverly

● Let's just do it in BIND, differently● Delegate address ranges to automatic DNS as they're mapped in

our IPAM system● Delegate other ranges to customers's nameservers as required● Fewer & more understandable zones● Zone for area, COUNT(customers) entries in the zone

● Cleverness and timeliness don't always go hand in hand... and IPAM doesn't even know delegations!


THE SOLUTION: Filters

● pymds has “rr” filter for reordering results● New backend, “override”.

● Reloadable config● Totally separate code● Filters to remove AAAA answers & add “NS”

records instead– Required pymds API change!

● Uses random ordering of NS records


Filters, prettily

Internet pymds

Backend Plugins Filter Plugins


Sidebar #2: NS authority

● NS records in responses were given at the level of the query (ie. /128), not at the level of the delegation● Caching becomes horribly inefficient


Sidebar #3: Query Types

● Respond to “A”, “NS”, “ANY” queries● Missing “A” leads to broken “host” queries● Missing “NS” confuses troubleshooting● Missing “ANY” is bad form● Just handle all query types...


Sidebar #4: IPv6!!

● Make it work over IPv6● AF_INET → AF_INET6

● IPv6... only!?● sysctl

– net.ipv6.bindv6only = 0

● Python– s.setsockopt(socket.IPPROTO_IPV6,

socket.IPV6_V6ONLY, 0)

● ...changing how you BIND...


Finished! Or not.

● SysAdmin time...● Deployment● Monitoring● Testing● Security● Scaling● Caring about it ten years from now


Deployment

● git● debuild● apt / reprepro● Puppet● ...and TEST IT.


Monitoring

● Mon● Nagios● Shell scripts!● I saw a csh by the csh or...● Except I mostly use bash.


Testing

● Bash● dig● diff● "dig $STUFF | grep -v $DONTCARESTUFF >

output/foo; diff correct-output/foo output/foo"● dig-version-dependent, limited, can't handle RR

rotation, etc.


Paranoia^WSecurity

● setuid() to nobody● Security changes to the pymds core...

pymds | 23 ++++++++++++++++++-----

1 file changed, 18 insertions(+), 5 deletions(-)

● Future enhancements● apparmor / SELinux?


Scaling

● Queries-per-second● Scale-out

● Delegation count● RAM● Partitioning● Be clever - move it to BIND instead● Or... MOAR RAAAAAAMMMM


Future

● Maintain vs Replace● BIND plugin?● Migrate to PowerDNS?● Issues with replacing

● Naming compatibility – like an API for users● Delegations... again.


Thanks to...

● Tom Pinckney● Michael Davies● LCA2012 :)● Internode


The End

ipv6 dynamic reverse mapping - internodeusers.on.net/~rmibus/pymds/ipv6-auto-rdns.pdfdownload:...

Documents