Automated Delegation of IP6.ARPA reverse zones with Prefix Delegation

This document describes a method to automate the delegation of IP6.ARPA reverse zones when performing Prefix Delegations. This will allow home users and small businesses to have IP6.ARPA zones without manual intervention on the part of the ISP.

1) CPE device generates a RSA key pair and stores this in non-volatile memory. 2) CPE device generates a DHCPv6 Prefix Delegation request which includes a KEY-RDATA option (code point TBA), which contains a the rdata of a DNS KEY record containing a RSASHA256 key using the public components of the previously generated RSA key pair. 3) DHCP server updates DNS server based on the prefix it is delegating and the KEY-RDATA, using TSIG for authentication, and responds with prefix. If this is a new prefix delegation, it will clear out all the old DNS records as part of the delegation process. If there are multiple prefixes being delegated the ISP's DNS server will be updated for all of them. If the delegated prefix is not nibble aligned then the server will update all the reverse apex names that cover the address space, i.e. 1, 2, 4 or 8 KEY records will be added all with the same rdata contents. 4) CPE device configures the nameserver built into it to serve the reverse of the delegated prefixes. Alternatively it may configure other nameservers to serve these zones, however the method to do that is out of scope for this document. 5) CPE device generates a DNS UPDATE which delegates the reverse name space to itself and others if they have been configured. It uses SIG(0) to sign the request, with owner name matching the reverse of the delegated prefix. 6) The ISP's DNS server is configured to accept self-signed requests (the owner name used in the SIG(0) signature matches the owner name of the data to be updated). It examines the request, looks at the KEY record added by the DHCPv6 server, and decides whether the request is valid.

If 2001:DB8:1:4::/62 is delegated then KEY records for

4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA KEY ... will be added. The CPE device will configure the nameservers to serve all of the following zones

4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA then will send individual UPDATE messages to delegate each of the reverse zones.

% nsupdate -k K4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 4.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 5.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 6.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send % nsupdate -k K7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA update add 7.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA NS ... send Named would be configured to accept dynamic updates from both the CPE devices and from the DHCP server.

zone 8.B.D.0.1.0.0.2.IP6.ARPA { type primary; file "8.B.D.0.1.0.0.2.IP6.ARPA.db"; update-policy { // allow 2 KEY, 10 NS and 8 DS records to be added grant * self . KEY(2) NS(10) DS(8); // allow the DHCP server add the KEY and cleanup grant dhcp-server-key subzone KEY NS DS; }; ... };

Allocate a DHCPv6 code point for KEY-RDATA.

The UPDATE requests are all signed. This is a proven method for securing UPDATE requests in the DNS. As a RSA key is being used there is no issue with key material being sent in the clear. Only the CPE device and the ISP itself is capable of creating, updating or destroying the delegation.