Category Archives: DNS

/56 Subnet – Delegating IPv6 Reverse Authority

Recently I had a client that wanted a /56 IPv6 WAN range. The idea behind this was he wanted to be able to provision multiple /64’s within his /56 to assign to clients.

Before we go any further, lets clarify what a /56 is, I will use the following sample range:

2600:AB00:1000:2000::/56

This is really the range of IPs from 2600:AB00:1000:2000:0000:0000:0000:0000 through 2600:AB00:1000:20FF:FFFF:FFFF:FFFF:FFFF, in other words, its 256 /64s. Delegating reverse authority of this beast is not so straight forward. Here is how we do it in BIND v9.

The most difficult aspect of this is the /56 delegation has to occur from within the /32 zone file. Huh? So if you were only ever doing DNS yourself (no delegation), you probably never created a zone for the /32, instead you just had all your /64 zone files as is. You can’t declare a /56 in-arpa zone file and delegate, it has to be done from the newly created /32. But dont worry, the /32 will have a catch all that redirects everything back to itself, so all your existing /64’s zones will be fine, no changes needed.

So sticking with the above ranges, assume we are an ISP, our /32 is 2600:AB00::/32, our DNS servers are ns1 and ns2.isp.com. Furthermore, say we have a client with a /64 of 2600:AB00:1234:4000::/64 and we do the DNS for them (no delegation), then lastly, we have client /56 of 2600:AB00:1000:2000::/56 that is going to be delegated to their name servers, ns1 and ns2.client.com.

Assume this is a watered down config snippet, we’re just showing the pertinent info. Here is my master BIND config file showing the zone declarations:


zone "0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa";
};

zone "0.0.f.b.4.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.b.a.0.0.6.2.ip6.arpa";
};

The first zone is my /64 client, here is that zone file with some sample PTRs:


$ORIGIN 0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2014022621 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR web01.isp.com.
5.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR mail01.isp.com.

The second zone is the /32 zone, and this is where we do the delegation for the /56 and the catch all for everything else, see below:


$ORIGIN 0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2018080107 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns1.client.com.
0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns2.client.com.

So looking at this zone file, the first two NS lines is the catch all, basically, anything that doesn’t match below will delegate back to itself. This is why my /64 zone in the master config will work. But we do match the /56 that needs delegation, and its forwarded to those 3rd party NS servers.