diff --git a/content/u/blog/the-v6-pattern-for-proxied-hosts/2021-02-24-183437_817x476_scrot.png b/content/u/blog/the-v6-pattern-for-proxied-hosts/2021-02-24-183437_817x476_scrot.png new file mode 100644 index 0000000..a7a3eee Binary files /dev/null and b/content/u/blog/the-v6-pattern-for-proxied-hosts/2021-02-24-183437_817x476_scrot.png differ diff --git a/content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr b/content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr index 39496da..2265185 100644 --- a/content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr +++ b/content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr @@ -15,76 +15,17 @@ How to configure proxied IPv6 only hosts reliably. --- body: -Dear ISC bind, +At ungleich we have a lot of IPv6-only web servers. Many of them are +are proxied from the IPv4 world, so the domain name points to two +different machines: -this is a love letter to you. You probably don't know me, but I have -been a long term user of yours. +* the AAAA entry points to the server directly +* the A entry points to a proxy -I started my time with you in the late 90's. It was when you were -called "bind 4". I was very happy with our relationship. You'd not -only take care of all authoritative requests, but also take care of -caching client requests. Me, still being young at the time, I did not -know nor care about security concerns in the beginning. +This sometimes makes configuring the right system a bit harder, +because on dual stack clients, accessing www.example.com brings you to +either machine. In the [first ungleich tech +talk](https://www.youtube.com/watch?v=cANwo0IdZYU) we show how this +looks in detail and how we ensure that we configure the right machine. -But then over time I got more experienced and I read and tried DNS -cache poisoning and I was shocked. How could you? How could you accept -incorrect entries? I had so much trust in you and then that! - -Years passed and after my shock, I had a fling with -[djbdns](https://cr.yp.to/djbdns.html) (together with qmail and -daemontools). Which right away took security more serious. So serious -that even managing djbdns with its own suite was almost like a crypto -analysis adventure (no offense, Dan!). Many years this was my software -solution of choice, compiled by source, patched by hand. Oh, the old -2000's! - -Over time the effort for managing software by source code and -/usr/local installations did not turn out to be very efficient. So I -looked around and found [powerdns](https://www.powerdns.com/), -[nsd](https://www.nlnetlabs.nl/projects/nsd/about/) and -[unbound](https://www.nlnetlabs.nl/projects/unbound/about/). - -I settled for the nsd/unbound combination for many years. Solid, easy -to use and nice separation of concerns. Thanks nlnetlabs! Then I -stumbled upon -[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Dnsmasq -feels a bit like a younger sibling of bind: it does everything and -even includes dhcp and tftp support! Crazy, isn't it? Many years to -come, dnsmasq, first discovered on an embedded router, turned out to -be a very stable solution for even mid sized installations. And it -comes with a very simple configuration as well. - -But then 2017 happened. And ungleich started the [Data Center -Light](/u/projects/data-center-light/) project. An IPv6 first -hosting. And there you were, dear bind. Looking at me from the side of -the software projects, saying "I think it's time we have a talk.". - -And indeed, we did have a talk. A talk about implementing DNS64. About -different DNS64 prefixes in one configuration. About being -an authoritative name server that functions even if all upstreams are -down. A name server that even allows the most funky configuration of -*removing native AAAA entries* for DNS64 networks that should only -access mapped IPv4 addresses. You can do it all, but you are still not -complicated. Who can say that from oneself? - -I admit, I was not always loyal to you. And I also admit that I am -still sceptical about mixing caching and authoritative features in one -process. But you do it so damn well. Not only have you been around for -decades and collected the wisdom over the years, but also have you -adapted to the time. - -This is why I am writing you this love letter today, to say -thanks. Thanks for making the life in a data center easier, thanks to -being flexible, thanks for improving over time and thanks to still -adhearing to the same configuration file format that I used in the -late 90's. - -Dear BIND, you are by far not perfect, but then neither is -reality. And this is your strength, solving real world problems. - -Thank you for doing so and thanks to all the involved developers for -creating bind. - -In love, yours, - -Nico +This is our first tech talk and we love to [hear your feedback](/u/contact/).