Network Working Group                                         M. Andrews
Internet-Draft                                                       ISC
Expires: April 19, 2014                                 October 16, 2013


         Automatic Delegation of IP6.ARPA reverse zones with PD
                   draft-andrews-dnsop-pd-reverse-00

Abstract

   This document describes a method to automate the delegation of
   IPv6.ARPA reverse zones when performing Prefix Delegations.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 19, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.







Andrews                  Expires April 19, 2014                 [Page 1]

Internet-Draft           customer reverse zones             October 2013


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Method  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   5.  Normative References  . . . . . . . . . . . . . . . . . . . . . 4
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 4











































Andrews                  Expires April 19, 2014                 [Page 2]

Internet-Draft           customer reverse zones             October 2013


.  Introduction

   This document describes a method to automate the delegation of
   IPv6.ARPA reverse zones when performing Prefix Delegations.

   This will allow home users and small businesses to have IPv6.ARPA
   zones without manual intervention on the part of the ISP.


.  Method

   CPE generates a RSA key pair and stores this in non-volatile memory.

   CPE generates DHCPv6 Prefix Delegation [RFC3633] request which
   includes a KEY-RDATA option (code point TBA) which contains a the
   rdata of a DNS KEY record containing a RSASHA256 key using the public
   components of the previously generated RSA key pair.

   DHCP server updates DNS server based on the prefix it is delegating
   and the KEY-RDATA using TSIG [RFC2845] for authentication and
   responds with prefix.  If this is a new prefix delegation it will
   clear out all the old DNS records as part of the delegation processs.
   If there are multiple prefixes being delegated the ISP's DNS server
   will be updated for all of them.

   The CPE device configures the nameserver built in to it to server the
   reverse of the delegated prefixes.  Alternatively it may configure
   other nameservers to server these zones however the method to do that
   is out of scope for this document.

   CPE device generates DNS UPDATE [RFC2136] which delegates the reverse
   name space to itself and others if they have been configured.  The
   CPE uses SIG(0) [RFC2931] to sign the request with owner name
   matching the reverse of the delegated prefix.

   The ISP's DNS server is configured to accept self signed requests
   (the owner name used in the SIG(0) signature matches the owner name
   of the data to be updated).  It examines the request.  Looks at the
   KEY record added by the DHCPv6 server and decides the request is
   valid.


.  IANA Considerations

   Allocate a DHCPv6 code point for KEY-RDATA.






Andrews                  Expires April 19, 2014                 [Page 3]

Internet-Draft           customer reverse zones             October 2013


.  Security Considerations

   The UPDATE requests are all signed.  This is a proven method for
   securing UPDATE requests in the DNS.

   As a RSA key is being used there is no issue with the key material
   being in the clear.

   Only the CPE device and the ISP itself is capable of creating,
   updating or destroying the delegation.


.  Normative References

   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
              RFC 2136, April 1997.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
              Wellington, "Secret Key Transaction Authentication for DNS
              (TSIG)", RFC 2845, May 2000.

   [RFC2931]  Eastlake, D., "Secret Key Transaction Authentication for
              DNS (TSIG)", RFC 2931, September 2000.

   [RFC3633]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
              Host Configuration Protocol (DHCP) version 6", RFC 3633,
              December 2003.


Author's Address

   M. Andrews
   Internet Systems Consortium
   950 Charter Street
   Redwood City, CA  94063
   US

   Email: marka@isc.org












Andrews                  Expires April 19, 2014                 [Page 4]