Configuring DNS64 support - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

DNS64 must be configured in Address Manager to enable the DNS Server to synthesize AAAA records from A records.

To configure DNS64 support:

  1. From the configuration drop-down menu, select a configuration.
  2. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  3. Under DNS Views, click a DNS view.
  4. Click the DNS64 tab in the view level. Click New.
  5. Under General, set the following parameters:
    • DNS64 Prefix—enter an IPv6 network prefix. This is the IPv6 prefix used to synthesize IPv6 addresses from IPv4 addresses. In most cases you will want to specify a dedicated /64 network from your existing Global Unicast or Unique Local address spaces that isn't in use today. The prefix should match what's configured on the NAT64 server. NAT64 prefixes are restricted to /32s, /40s, /48s, /56s, /64s, or /96s.
    • Clients—indicates an address match list of clients for whom the service is provided. Select one of the following radio buttons. Selecting a radio button will change the client text field or drop-down menu.
      IPv6 Address/Block or name—select to specify client IPv6 addresses or blocks in the text field for which you wish to enable DNS64. If nothing is specified, DNS64 applies to all clients.
      Note: Due to a known issue with ISC’s named-checkconf tool, even if DNS validation is enabled on Address Manager, the Clients option in the DNS64 declaration won't get validated upon the DNS deployment to a managed BlueCat DNS Server.

      TSIG Key—select to specify client using the matching TSIG key. If selected, a drop-down menu listing TSIG keys in Address Manager will appear.

      ACL—select ACLs specifying clients. If selected, a drop-down menu listing pre-defined and customer ACLs in Address Manager will appear.
      Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
    • Mapped—indicates which IPv4 addresses within the A resource record set will be mapped to corresponding AAAA answers. Select one of the following radio buttons. Selecting a radio button will change the client text field or drop-down menu.

      IPv4 Address/Block or name—select to specify the IPv4 addresses to be mapped in the corresponding A to AAAA records transition. In most cases, you will want to enable DNS64 for all addresses as you won't know ahead of time which IPv4 addresses will require mapping and which won't. If nothing is specified, DNS64 maps all addresses.

      ACL—select ACLs containing client IPv4 addresses that will be mapped. If selected, a drop-down menu listing pre-defined and customer ACLs in Address Manager will appear.
      Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
    • Exclude—defines which IPv6 clients will be excluded from the DNS64 service. Select one of the following radio buttons. Selecting a radio button will change the client text field or drop-down menu.

      IPv6 Address/Block or name—specify a list of IPv6 addresses or networks that will be ignored if they appear in a domain name’s AAAA records. If specified, DNS64 will be applied to any A records the domain name owns.

    • ACL—select ACLs containing client IPv6 addresses that will be ignored. If selected, a drop-down menu listing pre-defined and customer ACLs in Address Manager will appear.
      Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
    • Suffix—can be used to specify the bits trailing the IPv4 address bits in the mapped response. This is optional and by default the bits are set to ::. If the prefix is set to /96 bits, the suffix doesn't need to, or can't be specified.
    • Recursive Only—if selected, the DNS64 synthesis will only apply to recursive queries.
    • Break DNSSEC—if selected, the DNS64 synthesis will occur even if the DNSSEC validation fails.
  6. Under Change Control, add comments, if required.
  7. Deploy the configuration to the DNS server. For more information, refer to Manual deployment.