Skip to main content

[Humbledown highlights] Managing IPv6 Zone Pain

Originally published by myself on at Wed Aug 11 12:49:36 NZST 2010
and since recovered to this location. It has not been tested since its original publication.

If you’re the type who prefers to hand-edit their DNS zone files (and there are an awful lot of us), then you’ll recognise the pain of managing IPv6 PTR records in DNS. You might even have a coping strategy to help you input them without making an all-to-easy typo, such as by using a command such as ipv6calc. However, if that’s how you do it, then it still makes it very difficult to look for the address, or errors, after it has been entered; IPv6 PTR records are highly unrecognisable at a glance. A better way is to separate the edited view from the production view, to a small extent, by pre-processing the input with a tool. That is what this post is about; I present to you: ipv6-dns-revnibbles.
I initially designed this tool when I ran my first IPv6 enabled class for TELE301, and I think the tool has merit, so I’m releasing this to the public for feedback. Licence is public domain, no warranties etc. etc. That said, if you make a patch or have a bug report, I would happy to receive it.
IPv6 PTR records are a real pain, as an example, look at the following:

$TTL       604800
@       IN      SOA     ns1.localdomain. hostmaster.localdomain. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      ns1.localdomain.

$ORIGIN PTR     server-1.localdomain.
e. PTR     client1.localdomain.

It is hard to find a mistake in such an input. A tool such as ipv6calc helps a lot in some respects, but only when adding the new records; it’s still quite difficult to see everything that is currently there. We can do better by generating the correct (verbose) format using a program with input from a zone file that goes through some filter to do the conversions. I have written just a program for you: ipv6-dns-revnibbles. This program works somewhat like the venerable m4 macro processor, but is highly specialised (at therefore rather useless at other tasks). With this tool, your input starts looking like this:


@ IN SOA ns1.localdomain. hostmaster.localdomain. (
        2010042801 8H 2H 4W 1D)

       NS        ns1.localdomain.


%RN(::1)                  PTR   server-1.localdomain.
%RN(::a00:27ff:fe28:370e) PTR   client1.localdomain.

You would store in a file such as and then, using a simple Makefile, create from that. If you haven’t already, rename the reverse zone file you want to manage so it has a .rn extension.

# mv /etc/bind/db.fd6b-4104-35ce-0000--64{,.rn}

You’ll need to build the software, which uses the Flex tool and the C compiler; you should already have the C compiler installed, but you will need to install the flex package:

# apt-get install flex

Now, to build the software. First download ipv6-dns-revnibbles.tgz. Now from inside your server, unpack it and build it:

$ mkdir -p ~/src/ipv6-dns-revnibbles
$ cd ~/src/ipv6-dns-revnibbles
$ tar -zxf /path/to/ipv6-dns-revnibbles.tgz
$ less
$ make
# install --owner root --group root --mode 0755 \
> ipv6-dns-revnibbles /usr/local/bin/
$ make -f Makefile.etc-bind
Updating from
# install --owner root --group root --mode 0755 \
> Makefile.etc-bind /etc/bind/Makefile

Now, using as a guide, update your own IPv6 reverse zone and run ‘make’ inside the /etc/bind/ directory.
To give you an example of what the input looks like, here is the contents of, which is the input for the example above:

$TTL       604800
@       IN      SOA     ns1.localdomain. hostmaster.localdomain. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      ns1.localdomain.


%RN(::1)                        PTR     server-1.localdomain.
%RN(::a00:27ff:fe28:370e)       PTR     client1.localdomain.

IMPORTANT: Unfortunately, ipv6-dns-revnibbles can’t know what the $ORIGIN is, so you need to specify %RN-PREFIX; this could be a sticking issue if you reuse a zone file for multiple zones.
PS. For what it’s worth, ipv6calc is still a very useful tool when dealing with other configuration files, such as named.conf:

$ ipv6calc --in=ipv6addr fd6b:4104:35ce::/64


Popular posts from this blog

Use IPTables NOTRACK to implement stateless rules and reduce packet loss.

I recently struck a performance problem with a high-volume Linux DNS server and found a very satisfying way to overcome it. This post is not about DNS specifically, but useful also to services with a high rate of connections/sessions (UDP or TCP), but it is especially useful for UDP-based traffic, as the stateful firewall doesn't really buy you much with UDP. It is also applicable to services such as HTTP/HTTPS or anything where you have a lot of connections...

We observed times when DNS would not respond, but retrying very soon after would generally work. For TCP, you may find that you get a a connection timeout (or possibly a connection reset? I haven't checked that recently).

Observing logs, you might the following in kernel logs:
kernel: nf_conntrack: table full, dropping packet. You might be inclined to increase net.netfilter.nf_conntrack_max and net.nf_conntrack_max, but a better response might be found by looking at what is actually taking up those entries in your conne…

ORA-12170: TNS:Connect timeout — resolved

If you're dealing with Oracle clients, you may be familiar with the error message
ERROR ORA-12170: TNS:Connect timed out occurred I was recently asked to investigate such a problem where an application server was having trouble talking to a database server. This issue was blocking progress on a number of projects in our development environment, and our developers' agile post-it note progress note board had a red post-it saying 'Waiting for Cameron', so I thought I should promote it to the front of my rather long list of things I needed to do... it probably also helped that the problem domain was rather interesting to me, and so it ended being a late-night productivity session where I wasn't interrupted and my experimentation wouldn't disrupt others. I think my colleagues are still getting used to seeing email from me at the wee hours of the morning.

This can masquerade as a number of other error strings as well. Here's what you might see in the sqlnet.log f…

Getting MySQL server to run with SSL

I needed to get an old version of MySQL server running with SSL. Thankfully, that support has been there for a long time, although on my previous try I found it rather frustrating and gave it over for some other job that needed doing.

If securing client connections to a database server is a non-negotiable requirement, I would suggest that MySQL is perhaps a poor-fit and other options, such as PostgreSQL -- according to common web-consensus and my interactions with developers would suggest -- should be first considered. While MySQL can do SSL connections, it does so in a rather poor way that leaves much to be desired.

UPDATED 2014-04-28 for MySQL 5.0 (on ancient Debian Etch).

Here is the fast guide to getting SSL on MySQL server. I'm doing this on a Debian 7 ("Wheezy") server. To complete things, I'll test connectivity from a 5.1 client as well as a reasonably up-to-date MySQL Workbench 5.2 CE, plus a Python 2.6 client; just to see what sort of pain awaits.

UPDATE: 2014-0…