eyrie.org now with IPv6

I've now enabled IPv6 for both eyrie.org systems and have published corresponding DNS records (although DNS as always may take some time to update).

Panix mentioned a while back that they now supported IPv6 (with, as usual, a great admin console interface that made it trivial to turn it on and set up proper reverse DNS), but I knew there were going to be some issues with setting it up so I put it off. Amusingly, it was Debian that finally pushed me into configuring it: I kept getting the AAAA record for security.debian.org first and waiting for the connection to time out before connecting to the IPv4 address, and I got tired of waiting.

For the most part, I just had to turn it on and everything simply worked. There were only a couple bits of weirdness:

• The way that iptables handles IPv6 (or, rather, doesn't) is extremely annoying. I assumed I could just add IPv6 addresses to my regular iptables rules and be done, but no. There's a completely separate iptables table for IPv6 that's managed with a different set of tools. So I had to duplicate most of my rules and separate the address rules into two separate rule sets, plus tweak the code to load the rules. This is lame.

• tinydns of course can't handle AAAA records, since tinydns is part DNS server and part exercise in Dan Bernstein's opinions about how DNS should be constructed. Also, and probably more relevantly to this, it's not being updated these days. There's an escape where you can add raw records and a calculator on-line, so it's all set up anyway, but it's kind of a pain. At some point I'm going to care about DNSSEC, and then I'll need to find another DNS server.

  I still think BIND is a bloated pig, which is why I'm running tinydns. I want a miniscule DNS server that is trivial to set up and just serves out exactly the records that I tell it to, which tinydns is great at. If anyone knows anything else out there like that which they'd recommend, drop me a message.

Posted: 2010-09-18 18:35 — Why no comments?