On 2/16/22 14:38, Andrew Baker via bind-users wrote:
Firstly, we are running bind 9.11 on Debian 10 hosts.
* Is it worth use upgrading to Debian 11 to get the newer version of
bind?
I don't run Linux, but shouldn't it be possible to just upgrade only
BIND on your current Linux release, without having to change major OS
versions?
*
* Are there any issues/bugs/holes in 9.11 that will cause us a
problem, especially if we start messing with ipv6?
None that I can tell.
We are running bind911-9.11.36 happily as a resolver. Given
authoritative name servers would be less busy, I imagine you'll be fine
from that standpoint.
*
* If I do upgrade the on-premise servers, is it better to do master
then slaves or the other way around?
I've done both ways, because I've found it doesn't matter, especially if
you have more than one master.
* If we have DNSSEC configured, is it going to break anything
upgrading? (I have lots of backups of the zones and hosts files)
Take your time understanding DNSSEC, and how to set it up. I'd do this
long after adding IPv6 support, as that is what is most urgent, if I
hear you right.
Secondly, reference bind config
* For the “listen-on-v6” statement, are the only options still
‘none’ or ‘all’?
On all our name servers, we have this:
listen-on-v6 { any; };
Works great.
*
* Can the “listen-on-v6” only be enabled globally in the
‘named.conf.options’ or is it possible to enable per zone as we
are (currently) only going to have 1 zone needing ipv6?
Good question - I don't know.
But I'd suspect it's a global setting, because the protocol BIND listens
on has nothing to do with what it answers, i.e., you can carry an IPv6
response over IPv4.
* Once ipv6 is enabled. Is it advisable to setup a sub-domain for
the ipv6 addresses to avoid dual-stacking?
You could if you want to, but there is no relationship between the
A/AAAA records in the zone, and how the server's TCP/IP stack is configured.
We just have all IPv4 and IPv6 records in the same zone, with the server
dual-stacked.
*
The reverse zones for our ipv4 are handled (badly) by our local
telecoms provider. How big an issue is it going to be for ipv6 if the
reverse lookups are badly/not implemented?
You can choose to handle your own PTR, assuming the IPv6 space is yours.
Unless I misunderstand...
If our ISP can’t give us a public ipv6 address, can we still run our
bind to give out ipv6 addresses or not?
Yes - you can answer to IPv6 DNS queries, and provide that answer over
IPv4, i.e., you can answer an AAAA query over IPv4. The answer and the
transport don't have to be congruent.
Finally, can anyone point me towards any good reading on bind
configuration and DNS best practice (preferably with idiot proof
examples)? I must decide fairly quickly if we roll this zone back to
our domain registrar who is setup to handle ipv6 or do we strike out
and bring our DNS setup up to date and future proofed!
https://www.oreilly.com/library/view/dns-and-bind/9781449308025/
Mark.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
