host_type=router
prefix_len=48
if_prefix=eth0
The machine then becomes the access router for a subnet with a 48-bit prefix. Once the tunnel is aware of this change, the local network must be told about it; this implies installing the radvd daemon (from the similarly-named package). This IPv6 configuration daemon has a role similar to dhcpd in the IPv4 world.
The /etc/radvd.conf configuration file must then be created (see /usr/share/doc/radvd/examples/simple-radvd.conf as a starting point). In our case, the only required change is the prefix, which needs to be replaced with the one provided by Freenet6; it can be found in the output of the ifconfig command, in the block concerning the tun interface.
Then run /etc/init.d/tspc restart and /etc/init.d/radvd start, and the IPv6 network should work.
TIP Programs built with IPv6
Many pieces of software need to be adapted to handle IPv6. Most of the packages in Debian Squeeze have been adapted already, but not all. A few volunteers had previously created a package archive dedicated to software specially rebuilt for IPv6; this archive was decommissioned in March 2007, both for lack of time and for lack of interest (since most of the patches have been integrated into the official packages). If your favourite package does not work with IPv6 yet, help can be found on the debian-ipv6 mailing-list.
→ http://lists.debian.org/debian-ipv6/
CAUTION IPv6 and firewalls
Native IPv6 (as opposed to a tunnel over IPv4) requires the firewall to accept the traffic, which uses IP protocol number 41. Connections can still be restricted, in the same fashion as for IPv4: the standard Debian kernels include an adaptation of netfilter for IPv6. This IPv6-enabled netfilter is configured in a similar fashion to its IPv4 counterpart, except the program to use is ip6tables instead of iptables.
10.6. Domain Name Servers (DNS)
10.6.1. Principle and Mechanism
The Domain Name Service (DNS) is a fundamental component of the Internet: it maps host names to IP addresses (and vice-versa), which allows the use of www.debian.org instead of 82.195.75.97.
DNS records are organized in zones; each zone matches either a domain (or a subdomain) or an IP address range (since IP addresses are generally allocated in consecutive ranges). A primary server is authoritative on the contents of a zone; secondary servers, usually hosted on separate machines, provide regularly refreshed copies of the primary zone.
Each zone can contain records of various kinds (Resource Records):
A: IPv4 address.
CNAME: alias (canonical name).
MX: mail exchange, an email server. This information is used by other email servers to find where to send email addressed to a given address. Each MX record has a priority. The highest-priority server (with the lowest number) is tried first (see sidebar BACK TO BASICS SMTP); other servers are contacted in order of decreasing priority if the first one does not reply.
PTR: mapping of an IP address to a name. Such a record is stored in a “reverse DNS” zone named after the IP address range. For example, 1.168.192.in-addr.arpa is the zone containing the reverse mapping for all addresses in the 192.168.1.0/24 range.
AAAA: IPv6 address.
NS: maps a name to a name server. Each domain must have at least one NS record. These records point at a DNS server that can answer queries concerning this domain; they usually point at the primary and secondary servers for the domain. These records also allow DNS delegation; for instance, the falcot.com zone can include an NS record for internal.falcot.com, which means that the internal.falcot.com zone is handled by another server. Of course, this server must declare an internal.falcot.com zone.
The reference name server, Bind, was developed and is maintained by ISC (Internet Software Consortium). It is provided in Debian by the bind9 package. Version 9 brings two major changes compared to previous versions. First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x).
Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks.
CULTURE DNSSEC
The DNSSEC norm is quite complex; this partly explains why it's not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article.
→ http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
10.6.2. Configuring
Configuration files for bind, irrespective of version, have the same structure.
The Falcot administrators created a primary falcot.com zone to store informations related to this domain, and a 168.192.in-addr.arpa zone for reverse mapping of IP addresses in the local networks.
CAUTION Names of reverse zones
Reverse zones have a particular name. The zone covering the 192.168.0.0/16 network need to be named 168.192.in-addr.arpa: the IP address components are reversed, and followed by the in-addr.arpa suffix.
TIP Testing the DNS server
The host command (in the bind9-host package) queries a DNS server, and can be used to test the server configuration. For example, host machine.falcot.com localhost checks the local server's reply for the machine.falcot.com query. The host ipaddress localhost tests the reverse resolution.
The following configuration excerpts, taken from the Falcot files, can serve as starting points to configure a DNS server:
Example 10.11. Excerpt of /etc/bind/named.conf.local
zone "falcot.com" {
type master;
file "/etc/bind/db.falcot.com";
allow-query { any; };
allow-transfer {
195.20.105.149/32 ; // ns0.xname.org
193.23.158.13/32 ; // ns1.xname.org
};
};
zone "internal.falcot.com" {
type master;
file "/etc/bind/db.internal.falcot.com";
allow-query { 192.168.0.0/16; };
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168";
allow-query { 192.168.0.0/16; };
};
Example 10.12. Excerpt of /etc/bind/db.falcot.com
; falcot.com Zone
; admin.falcot.com. => zone contact: admin@falcot.com