ungleich-public
/
ungleich-staticcms
6
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

++v6 pattern tech talk

This commit is contained in:
Nico Schottelius 2021-02-24 18:47:34 +01:00
parent f7c868a1b0
commit eb51ddb027
2 changed files with 11 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
content/u/blog/the-v6-pattern-for-proxied-hosts/2021-02-24-183437_817x476_scrot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

81
content/u/blog/the-v6-pattern-for-proxied-hosts/contents.lr
View File

@ -15,76 +15,17 @@ How to configure proxied IPv6 only hosts reliably.
---
body:
Dear ISC bind,
At ungleich we have a lot of IPv6-only web servers. Many of them are
are proxied from the IPv4 world, so the domain name points to two
different machines:
this is a love letter to you. You probably don't know me, but I have
been a long term user of yours.
* the AAAA entry points to the server directly
* the A entry points to a proxy
I started my time with you in the late 90's. It was when you were
called "bind 4". I was very happy with our relationship. You'd not
only take care of all authoritative requests, but also take care of
caching client requests. Me, still being young at the time, I did not
know nor care about security concerns in the beginning.
This sometimes makes configuring the right system a bit harder,
because on dual stack clients, accessing www.example.com brings you to
either machine. In the [first ungleich tech
talk](https://www.youtube.com/watch?v=cANwo0IdZYU) we show how this
looks in detail and how we ensure that we configure the right machine.
But then over time I got more experienced and I read and tried DNS
cache poisoning and I was shocked. How could you? How could you accept
incorrect entries? I had so much trust in you and then that!
Years passed and after my shock, I had a fling with
[djbdns](https://cr.yp.to/djbdns.html) (together with qmail and
daemontools). Which right away took security more serious. So serious
that even managing djbdns with its own suite was almost like a crypto
analysis adventure (no offense, Dan!). Many years this was my software
solution of choice, compiled by source, patched by hand. Oh, the old
2000's!
Over time the effort for managing software by source code and
/usr/local installations did not turn out to be very efficient. So I
looked around and found [powerdns](https://www.powerdns.com/),
[nsd](https://www.nlnetlabs.nl/projects/nsd/about/) and
[unbound](https://www.nlnetlabs.nl/projects/unbound/about/).
I settled for the nsd/unbound combination for many years. Solid, easy
to use and nice separation of concerns. Thanks nlnetlabs! Then I
stumbled upon
[dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Dnsmasq
feels a bit like a younger sibling of bind: it does everything and
even includes dhcp and tftp support! Crazy, isn't it? Many years to
come, dnsmasq, first discovered on an embedded router, turned out to
be a very stable solution for even mid sized installations. And it
comes with a very simple configuration as well.
But then 2017 happened. And ungleich started the [Data Center
Light](/u/projects/data-center-light/) project. An IPv6 first
hosting. And there you were, dear bind. Looking at me from the side of
the software projects, saying "I think it's time we have a talk.".
And indeed, we did have a talk. A talk about implementing DNS64. About
different DNS64 prefixes in one configuration. About being
an authoritative name server that functions even if all upstreams are
down. A name server that even allows the most funky configuration of
*removing native AAAA entries* for DNS64 networks that should only
access mapped IPv4 addresses. You can do it all, but you are still not
complicated. Who can say that from oneself?
I admit, I was not always loyal to you. And I also admit that I am
still sceptical about mixing caching and authoritative features in one
process. But you do it so damn well. Not only have you been around for
decades and collected the wisdom over the years, but also have you
adapted to the time.
This is why I am writing you this love letter today, to say
thanks. Thanks for making the life in a data center easier, thanks to
being flexible, thanks for improving over time and thanks to still
adhearing to the same configuration file format that I used in the
late 90's.
Dear BIND, you are by far not perfect, but then neither is
reality. And this is your strength, solving real world problems.
Thank you for doing so and thanks to all the involved developers for
creating bind.
In love, yours,
Nico
This is our first tech talk and we love to [hear your feedback](/u/contact/).