Berkeley Internet Name Daemon BIND (named)

Linux IPv6 HOWTO
Prev	Chapter 17. Hints for IPv6-enabled daemons	Next

17.1. Berkeley Internet Name Daemon BIND (named)

IPv6 is supported since version 9. Always use newest available version. At least version 9.1.3 must be used, older versions can contain remote exploitable security holes.

17.1.1. Listening on IPv6 addresses

Note: unlike in IPv4 current versions doesn't allow to bind a server socket to dedicated IPv6 addresses, so only any or none are valid. Because this can be a security issue, check the Access Control List (ACL) section below, too!

17.1.1.1. Enable BIND named for listening on IPv6 address

To enable IPv6 for listening, following options are requested to change

options {
        # sure other options here, too
        listen-on-v6 { any; };
};

This should result after restart in e.g.

# netstat -lnptu |grep "named\W*$" 
tcp 0 0 :::53         :::*      LISTEN 1234/named # incoming TCP requests
udp 0 0 1.2.3.4:53    0.0.0.0:*        1234/named # incoming UDP requests to IPv4 1.2.3.4
udp 0 0 127.0.0.1:53  0.0.0.0:*        1234/named # incoming UDP requests to IPv4 localhost
udp 0 0 0.0.0.0:32868 0.0.0.0:*        1234/named # dynamic chosen port for outgoing queries
udp 0 0 :::53         :::*             1234/named # incoming UDP request to any IPv6

And a simple test looks like

# dig localhost @::1

and should show you a result.

17.1.1.2. Disable BIND named for listening on IPv6 address

To disable IPv6 for listening, following options are requested to change

options {
        # sure other options here, too
        listen-on-v6 { none; };
};

17.1.2. IPv6 enabled Access Control Lists (ACL)

IPv6 enabled ACLs are possible and should be used whenever it's possible. An example looks like following:

acl internal-net { 
        127.0.0.1; 
        1.2.3.0/24;  
        3ffe:ffff:100::/56; 
        ::1/128; 
        ::ffff:1.2.3.4/128; 
};
acl ns-internal-net { 
        1.2.3.4;  
        1.2.3.5;  
        3ffe:ffff:100::4/128; 
        3ffe:ffff:100::5/128; 
};

This ACLs can be used e.g. for queries of clients and transfer zones to secondary name-servers. This prevents also your caching name-server to be used from outside using IPv6.

options {
        # sure other options here, too
        listen-on-v6 { none; };
        allow-query { internal-net; }; 
        allow-transfer { ns-internal-net; }; 
};

It's also possible to set the allow-query and allow-transfer option for most of single zone definitions, too.

17.1.3. Sending queries with dedicated IPv6 address

This option is not required, but perhaps needed:

query-source-v6 address <ipv6address|*> port <port|*>;

17.1.4. Per zone defined dedicated IPv6 addresses

It's also possible to define per zone some IPv6 addresses.

17.1.4.1. Transfer source address

Transfer source address is used for outgoing zone transfers:

transfer-source-v6 <ipv6addr|*> [port port];

17.1.4.2. Notify source address

Notify source address is used for outgoing notify messages:

notify-source-v6 <ipv6addr|*> [port port];

17.1.5. Serving IPv6 related DNS data

For IPv6 new types and root zones for reverse lookups are defined:

AAAA and reverse IP6.INT: specified in RFC 1886 / DNS Extensions to support IP version 6, usable since BIND version 4.9.6
A6, DNAME and reverse IP6.ARPA: specified in RFC 2874 / DNS Extensions to Support IPv6 Address Aggregation and Renumbering, usable since BIND 9, but see also an information about the current state at draft-ietf-dnsext-ipv6-addresses-00.txt

Perhaps filled later more content, for the meantime take a look at given RFCs and

AAAA and reverse IP6.INT: IPv6 DNS Setup Information
A6, DNAME and reverse IP6.ARPA: take a look into chapter 4 and 6 of the BIND 9 Administrator Reference Manual (ARM) distributed which the bind-package or get this here: BIND version 9 ARM (PDF)

Because IP6.INT is deprecated (but still in use), a DNS server which will support IPv6 information has to serve both reverse zones.

17.1.5.1. Current best practice

Because there are some troubles around using the new formats, current best practice is:

Forward lookup support:

AAAA
A6 without chaining, means prefix length value set to 0

Reverse lookup support:

Reverse nibble format for zone ip6.int
Reverse nibble format for zone ip6.arpa

17.1.6. Checking IPv6-enabled connect

To check, whether BIND is listening on an IPv6 socket and serving data see following examples.

17.1.6.1. IPv6 connect, but denied by ACL

Specifying a dedicated server for the query, an IPv6 connect can be forced:

$ host -t aaaa www.6bone.net 3ffe:ffff:200:f101::1 
Using domain server: 
Name: 3ffe:ffff:200:f101::1 
Address: 3ffe:ffff:200:f101::1#53 
Aliases:
Host www.6bone.net. not found: 5(REFUSED)

Related log entry looks like following:

Jan 3 12:43:32 gate named[12347]: client
Ź 3ffe:ffff:200:f101:212:34ff:fe12:3456#32770: 
 query denied

If you see such entries in the log, check whether requests from this client should be allowed and perhaps review your ACL configuration.

17.1.6.2. Successful IPv6 connect

A successful IPv6 connect looks like following:

$ host -t aaaa www.6bone.net 3ffe:ffff:200:f101::1 
Using domain server: 
Name: 3ffe:ffff:200:f101::1 
Address: 3ffe:ffff:200:f101::1#53 
Aliases:
www.6bone.net. is an alias for 6bone.net. 
6bone.net. has AAAA address 3ffe:b00:c18:1::10

Prev	Home	Next
Hints for IPv6-enabled daemons	Up	Internet super daemon (xinetd)