++patterns

content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr

@@ -0,0 +1,90 @@
+title: The v6 pattern for IPv6 only hosts
+---
+pub_date: 2021-02-24
+---
+author: ungleich
+---
+twitter_handle: ungleich
+---
+_hidden: no
+---
+_discoverable: no
+---
+abstract:
+How to configure proxied IPv6 only hosts reliably.
+---
+body:
+
+Dear ISC bind,
+
+this is a love letter to you. You probably don't know me, but I have
+been a long term user of yours.
+
+I started my time with you in the late 90's. It was when you were
+called "bind 4". I was very happy with our relationship. You'd not
+only take care of all authoritative requests, but also take care of
+caching client requests. Me, still being young at the time, I did not
+know nor care about security concerns in the beginning.
+
+But then over time I got more experienced and I read and tried DNS
+cache poisoning and I was shocked. How could you? How could you accept
+incorrect entries? I had so much trust in you and then that!
+
+Years passed and after my shock, I had a fling with
+[djbdns](https://cr.yp.to/djbdns.html) (together with qmail and
+daemontools). Which right away took security more serious. So serious
+that even managing djbdns with its own suite was almost like a crypto
+analysis adventure (no offense, Dan!). Many years this was my software
+solution of choice, compiled by source, patched by hand. Oh, the old
+2000's!
+
+Over time the effort for managing software by source code and
+/usr/local installations did not turn out to be very efficient. So I
+looked around and found [powerdns](https://www.powerdns.com/),
+[nsd](https://www.nlnetlabs.nl/projects/nsd/about/) and
+[unbound](https://www.nlnetlabs.nl/projects/unbound/about/).
+
+I settled for the nsd/unbound combination for many years. Solid, easy
+to use and nice separation of concerns. Thanks nlnetlabs! Then I
+stumbled upon
+[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Dnsmasq
+feels a bit like a younger sibling of bind: it does everything and
+even includes dhcp and tftp support! Crazy, isn't it? Many years to
+come, dnsmasq, first discovered on an embedded router, turned out to
+be a very stable solution for even mid sized installations. And it
+comes with a very simple configuration as well.
+
+But then 2017 happened. And ungleich started the [Data Center
+Light](/u/projects/data-center-light/) project. An IPv6 first
+hosting. And there you were, dear bind. Looking at me from the side of
+the software projects, saying "I think it's time we have a talk.".
+
+And indeed, we did have a talk. A talk about implementing DNS64. About
+different DNS64 prefixes in one configuration. About being
+an authoritative name server that functions even if all upstreams are
+down. A name server that even allows the most funky configuration of
+*removing native AAAA entries* for DNS64 networks that should only
+access mapped IPv4 addresses. You can do it all, but you are still not
+complicated. Who can say that from oneself?
+
+I admit, I was not always loyal to you. And I also admit that I am
+still sceptical about mixing caching and authoritative features in one
+process. But you do it so damn well. Not only have you been around for
+decades and collected the wisdom over the years, but also have you
+adapted to the time.
+
+This is why I am writing you this love letter today, to say
+thanks. Thanks for making the life in a data center easier, thanks to
+being flexible, thanks for improving over time and thanks to still
+adhearing to the same configuration file format that I used in the
+late 90's.
+
+Dear BIND, you are by far not perfect, but then neither is
+reality. And this is your strength, solving real world problems.
+
+Thank you for doing so and thanks to all the involved developers for
+creating bind.
+
+In love, yours,
+
+Nico