++v6 pattern tech talk
This commit is contained in:
parent
f7c868a1b0
commit
eb51ddb027
2 changed files with 11 additions and 70 deletions
Binary file not shown.
After Width: | Height: | Size: 78 KiB |
|
@ -15,76 +15,17 @@ How to configure proxied IPv6 only hosts reliably.
|
||||||
---
|
---
|
||||||
body:
|
body:
|
||||||
|
|
||||||
Dear ISC bind,
|
At ungleich we have a lot of IPv6-only web servers. Many of them are
|
||||||
|
are proxied from the IPv4 world, so the domain name points to two
|
||||||
|
different machines:
|
||||||
|
|
||||||
this is a love letter to you. You probably don't know me, but I have
|
* the AAAA entry points to the server directly
|
||||||
been a long term user of yours.
|
* the A entry points to a proxy
|
||||||
|
|
||||||
I started my time with you in the late 90's. It was when you were
|
This sometimes makes configuring the right system a bit harder,
|
||||||
called "bind 4". I was very happy with our relationship. You'd not
|
because on dual stack clients, accessing www.example.com brings you to
|
||||||
only take care of all authoritative requests, but also take care of
|
either machine. In the [first ungleich tech
|
||||||
caching client requests. Me, still being young at the time, I did not
|
talk](https://www.youtube.com/watch?v=cANwo0IdZYU) we show how this
|
||||||
know nor care about security concerns in the beginning.
|
looks in detail and how we ensure that we configure the right machine.
|
||||||
|
|
||||||
But then over time I got more experienced and I read and tried DNS
|
This is our first tech talk and we love to [hear your feedback](/u/contact/).
|
||||||
cache poisoning and I was shocked. How could you? How could you accept
|
|
||||||
incorrect entries? I had so much trust in you and then that!
|
|
||||||
|
|
||||||
Years passed and after my shock, I had a fling with
|
|
||||||
[djbdns](https://cr.yp.to/djbdns.html) (together with qmail and
|
|
||||||
daemontools). Which right away took security more serious. So serious
|
|
||||||
that even managing djbdns with its own suite was almost like a crypto
|
|
||||||
analysis adventure (no offense, Dan!). Many years this was my software
|
|
||||||
solution of choice, compiled by source, patched by hand. Oh, the old
|
|
||||||
2000's!
|
|
||||||
|
|
||||||
Over time the effort for managing software by source code and
|
|
||||||
/usr/local installations did not turn out to be very efficient. So I
|
|
||||||
looked around and found [powerdns](https://www.powerdns.com/),
|
|
||||||
[nsd](https://www.nlnetlabs.nl/projects/nsd/about/) and
|
|
||||||
[unbound](https://www.nlnetlabs.nl/projects/unbound/about/).
|
|
||||||
|
|
||||||
I settled for the nsd/unbound combination for many years. Solid, easy
|
|
||||||
to use and nice separation of concerns. Thanks nlnetlabs! Then I
|
|
||||||
stumbled upon
|
|
||||||
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Dnsmasq
|
|
||||||
feels a bit like a younger sibling of bind: it does everything and
|
|
||||||
even includes dhcp and tftp support! Crazy, isn't it? Many years to
|
|
||||||
come, dnsmasq, first discovered on an embedded router, turned out to
|
|
||||||
be a very stable solution for even mid sized installations. And it
|
|
||||||
comes with a very simple configuration as well.
|
|
||||||
|
|
||||||
But then 2017 happened. And ungleich started the [Data Center
|
|
||||||
Light](/u/projects/data-center-light/) project. An IPv6 first
|
|
||||||
hosting. And there you were, dear bind. Looking at me from the side of
|
|
||||||
the software projects, saying "I think it's time we have a talk.".
|
|
||||||
|
|
||||||
And indeed, we did have a talk. A talk about implementing DNS64. About
|
|
||||||
different DNS64 prefixes in one configuration. About being
|
|
||||||
an authoritative name server that functions even if all upstreams are
|
|
||||||
down. A name server that even allows the most funky configuration of
|
|
||||||
*removing native AAAA entries* for DNS64 networks that should only
|
|
||||||
access mapped IPv4 addresses. You can do it all, but you are still not
|
|
||||||
complicated. Who can say that from oneself?
|
|
||||||
|
|
||||||
I admit, I was not always loyal to you. And I also admit that I am
|
|
||||||
still sceptical about mixing caching and authoritative features in one
|
|
||||||
process. But you do it so damn well. Not only have you been around for
|
|
||||||
decades and collected the wisdom over the years, but also have you
|
|
||||||
adapted to the time.
|
|
||||||
|
|
||||||
This is why I am writing you this love letter today, to say
|
|
||||||
thanks. Thanks for making the life in a data center easier, thanks to
|
|
||||||
being flexible, thanks for improving over time and thanks to still
|
|
||||||
adhearing to the same configuration file format that I used in the
|
|
||||||
late 90's.
|
|
||||||
|
|
||||||
Dear BIND, you are by far not perfect, but then neither is
|
|
||||||
reality. And this is your strength, solving real world problems.
|
|
||||||
|
|
||||||
Thank you for doing so and thanks to all the involved developers for
|
|
||||||
creating bind.
|
|
||||||
|
|
||||||
In love, yours,
|
|
||||||
|
|
||||||
Nico
|
|
||||||
|
|
Loading…
Reference in a new issue