Please allow reverse DNS for EC2 IPv6

4

Currently AWS offers setting of reverse DNS names for EC2/VPC IPv4 addresses, although the process is conflated with enabling outgoing SMTP permission for those addresses. This post/question is to allow the same for IPv6 addresses.

There are two obvioud ways that AWS could do that:

  • A (simplistic): Allow setting reverse DNS names for individual IPv6 addresses using the existing form for IPv4 addresses. This is procedurally simple, but requires AWS to run some massive IPv6 rDNS zones covering the entire AWS EC2 IPv6 address space.
  • B (flexible): Provide a form where EC2/VPC customers can request delegation of reverse DNS for their assigned /56 IPv6 subnet, this delegation could be to any set of DNS servers, including but not limited to Route 53. This would only requre AWS to run delegation-only IPv6 rDNS zone for the AWS EC2 IPv6 address space, but would require a third form to unlock outgoing SMTP traffic.
8 Answers
2

That route 53 article reflects that AWS EC2 still doesn't allow rDNS for EC2 IPv6 address space, which is frankly embarrassing.

answered 2 years ago
2

It appears that reverse entries for IPv6 are now available via support requests, although they got ours wrong the first time and every message had to go through a robot-like 1st level support team that responded to everything with "we have forwarded this advanced request to a specialist team" or words to that effect.

Anyways, traffic through AWS-hosted IPv6 ranges is already a paid service, and so are the virtual servers that IPv6 addresses can be assigned to. Automating the process should significantly reduce the cost of handling this. Besides automating the entry of requests, another important thing to automate is the following rule (derived from the specifications of the PTR record type, but apparently not explicit in any RFC):

For any customer-requested PTR record, an AWS automation script should:

  1. Check that a single forward record of the corresponding type (A or AAAA) exists and matches for the customer-requested PTR value. Records for the other type (AAAA or A) should be ignored.

  2. Set the TTL of the PTR record no higher than the remaining TTL returned by the automated check for the forward record, but also no higher than the remaining time on the customer contract for the VPC containing the IP address.

  3. Automatically repeat steps 1 and 2 when about 25% of that TTL remains.

  4. If the forward entry goes away or fails, temporarily remove the PTR entry, and notify the customer by automatic email, but keep the PTR entry it in the retry database for 1 week after the e-mail in case the forward entry is restored by the customer.

Example: Customer request: "2001:db8:1234:5678::2 PTR mail1.example.com"

Matching forward records in customer-controlled DNS domain (the A records are not relevant to IPv6 PTR records):

mail1.example.com. 86400 IN AAAA 2001:db8:1234:5678::2
mail1.example.com. 86400 IN A 192.0.2.2
mail1.example.com. 86400 IN A 192.0.2.12

Forward record from DNS cache at AWS HQ: mail1.example.com. 35400 IN AAAA 2001:db8:1234:5678::2

Resulting PTR record in AWS owned DNS:

3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.8.d.b.0.1.0.0.3.ip6.arpa. 35400 IN PTR mail1.example.com
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.8.d.b.0.1.0.0.3.ip6.arpa. 35400 IN LOC $LocationOfDataCenter_rounded_to_nearest_degree_thus_hiding_secret_street_address

Failure of step 1 would have caught the mistake in manually processing our request.

The structure of the above 4 steps would also keep the AWS DNS clean from stale PTR records from removed customer services.

An example of rounded LOC coordinates for the Doppler building would be "48 N 122 W 0m 90m 100000m 1000m" indicating that each building in that AWS location is about 90m wide, somewhere in the Seattle area and not on top of a mountain (server is less than 1600ft above the GPS zero altitude).

answered a year ago
2

Will AWS hand over ip6.arpa to our /64s delegated in our VPCs? That way we can control our own ip6.arpa and not have to wait 3-5 days for every PTR request?

answered a year ago
1

Hi !

Thanks for contacting AWS Re:post .

I understand you would like to have reverse DNS names enabled for EC2 / VPC IPv6 .

I do apologize for the inconvenience of the Service limitation, However, as I understand the importance of your use case I have created a feature request on your behalf for this functionality. As you can imagine, any new feature requires the product to undergo rigorous testing and troubleshooting before it is made available, to ensure security and stability for end users. Hence, I can't provide you with an ETA for when the feature will be released, however if it's released, it should be announced in the AWS What's New blog below:

https://aws.amazon.com/new/

AWS
SUPPORT ENGINEER
Ansh_C
answered 2 years ago
  • How's that going, 2 years later? Still no way to add PTR records for IPV6. Do we still need to message Bezos directly for ipv6 updates, as he's the only one with the ability to make the changes? Just wondering why it still needs an act of God + a week delay to make a simple change in our account. Thanks!

0

I run hosting platforms like Plesk and Cpanel on AWS and the inability to set reverse DNS for IPv6 addresses prevents them from being used for mail servers completely. It's already good practice to set a proper reverse dns entry for mail servers but Google especially rejects all mails from IPv6 addresses without a reverse entry. Please add my vote for a feature request too.

PSi_101
answered 2 years ago
0

I have a feeling like this has something to do with the fact that the Elastic IPv4 IPs you can get PTR records for are a paid service, whereas the IPv6 addresses just work without having to pay for them, and AWS have no real incentive to do the extra work for free. So, before realizing that this would be an issue, I have recently upgraded my mail service and everything works with IPv6, but I have to disable it, again, because otherwise I won't be getting mails, because mail servers out there will be refusing to cooperate without the DNS PTR Record (whenever they happen to prefer IPv6 which is the increasingly common case.)

Is the only way, really, to buy my own IPv6 CIDR and register it with a VPC? (and then have an appropriate reverse-mapping zone on a DNS server of my own somewhere?) ... I don't even dare start thinking about how expensive it would be to acquire a block of IPv6 addresses. Maybe it could actually be an AWS business model to act as an LIR, register small IPv6 ranges for me with RIPE. Apparently I could already bring my own range (if I were a big company and had one), so there must be ways to advertise the routing from the VPC. Maybe if that were affordable, I would roll the DNS, myself.

answered a year ago
0

Don't forget "Technical support is unavailable under the Basic Support plan" so there's no way to actual start the "reverse entries for IPv6 are now available via support requests" unless you pay through the nose.

Tom
answered 2 months ago
-2

Hi !

Further adding, this doc explains setting PTR record (reverse DNS) for IPv6 as well : https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/

AWS
SUPPORT ENGINEER
Ansh_C
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions