Site menu 6to4 reverse DNS
e-mail icon
Site menu

6to4 reverse DNS

e-mail icon

Since most, or all, IPv6 connectivity suppliers give a full /64 or even a /48 address range, the reverse IPv6 DNS can be delegated in a more straightforward way than IPv4.

Still, you need to inform the name server via some administrative tool. Some tunnel brokers even offer name servers, so you don't need to set up your own. This is not a problem because you already had to create an account to set up the tunnel in the first place; the same Web admin tool gives access to both things.

6to4 is a challenge for reverse DNS delegation because the tunnel setup is completely automatic and "anonymous". How to relate the /48 range with a particular nameserver, if the /48 "owner" did not register anywhere?

The current solution is a semi-public registry: https://6to4.nro.net/. NRO is the entity that, among other things, is responsible by DNS reverse of 2002::/16 (the 6to4 super-range). By filling the fields in the URL above, they delegate your particular 6to4 /48 range to the appointed nameservers. They also have a text-only interface that allows this registration to be carried out by a script.

The https://6to4.nro.net site must be accessed from the very 6to4 host or network that is going to be registered. This guarantees that, at least, the client has access to that host, and is likely the legitimate "owner" of that IPv4 address.

Note that, if 6to4 is used to deliver IPv6 for a whole network, instead of a single host, any computer inside that network can access this URL and make changes in reverse DNS form. It is network admin's responsability to block access to this page (blocking port 443 of 6to4.nro.net, or something like that).

The registration form accepts an optional password, but it does NOT protect against insiders. It is useful to make future changes in reverse DNS from "outside" the target 6to4 network.

BEFORE you fill the 6to4 form, you need to have at least two name servers correctly configured with reverse IPv6 DNS. Or one nameserver in a multihomed machine. The configuration for v6.domain.com goes below:

$ORIGIN 6.4.5.2.9.f.8.4.2.0.0.2.ip6.arpa.
$TTL 604800
@ IN SOA ns1.domain.com. spam.spam.com.br. (
  1978022513 ; Serial
  10800  ; Refresh
  3600  ; Retry
  2419200  ; Expire
  604800 ) ; Default TTL

  NS   ns1.domain.com.
  NS   ns2.domain.com.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 PTR v6.domain.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR v6.domain.com.

In /etc/bind/named.conf.local:

zone "6.4.5.2.9.f.8.4.2.0.0.2.ip6.arpa" {
 type master;
 file "/etc/bind/6to4.hosts";
};

It would be nice if someone wrote a script which got the 6to4 address from the interface and dumped the configurations shown above.

I supplied reverse IPv6 DNS for two IPv6 addresses: 2002:48f9:2546:1::1 and 2002:48f9:2546::1. Our DNS server takes the responsability for the whole 2002:48f9:2546::/48 range, but has actual reverse names for just two IPs. I did not choose the IPv6 range; it is derived from host's fixed IPv4 address.

Then I open the NRO form. It already knows my IPv4 and therefore my IPv6 /48 range. I just need to say that nameservers are ns1.domain.com and ns2, and supply a contact e-mail. Within some minutes, the reverse must be visible to the rest of the world:

/Users/elvis $ host 2002:48f9:2546:1::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.6.4.5.2.9.f.8.4.2.0.0.2.ip6.arpa
    domain name pointer v6.domain.com.
e-mail icon