中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 5: Integration and Transition

5.6.2.5 The totd DNS-Proxy (NetBSD/FreeBSD/Solaris/OS X/Linux)(2)

where totuser must be a specially created user account with few privileges just to be used by totd.
Such an account can be created on many Unix-like systems with:

# useradd -c “totd User” -s /bin/false totuser

Note: It is prudent to additionally change the password of totuser if the Linux server which will be running totd does not disable accounts that did not get an initial password. This can be achieved by using the following command

# passwd totuser

For additional security, totd can be run in a so-called chroot() cage such that even when compromised can not access filesystem outside the given directory. Start totd then using the -t option, like:

# totd -u totuser -g totuser -t /home/totuser

Once totd is started, you can test it by issuing a DNS query for an IPv4-only machine:

For more complicated setups where multiple prefixes are used or prefixes need to be added and removed dynamically without manual intervention in order to support failover between separate transition mechanisms, totd can be compiled to include a small webserver. Then totd allows reconfiguration using http requests.

This functionality is provided by SWILL which is shipped with totd in its original form. Note that the SWILL library is covered by the GNU LESSER GENERAL PUBLIC LICENSE.

For this, compile totd as follows:

# ./configure --prefix=/usr/local --enable-http-server
# make depend && make && make install

Even when compiled in, totd by default does not accept http requests for security reasons. You need to
specify a port on the command line on which totd should listen for http requests. For example:

# totd -http-port 6464

In addition, you need to tell totd via its config file what addresses it should accept http requests from
(the default is none) by adding a line like:

allow ::1

There is no other support for protecting this mechanism from abuse by third parties; no http authentication or https support is provided. We believe that where secure remote reconfiguration access is needed, the system administrator will choose to tunnel the http requests through some secure channel (e.g. a ssh tunnel or an IPSEC protected link).

Requesting index.html gives a HTML page with the current state and statistics of totd. You can also use it to dynamically update the prefixes used by totd. Prefixes are added and removed by requesting add_prefix.html and del_prefix.html combined with the variable ‘prefix’ set to the prefix in question. Example URL for adding a prefix:

http://localhost:6464/add_prefix?prefix=fec0:0:0:ffff::

You can use a tool like curl (http://curl.haxx.se) to automatically from some script, from a remote (management) machine, add and delete prefixes to a running totd this way.
‹ 5.6.2.5 The totd DNS-Proxy (NetBSD/FreeBSD/Solaris/OS X/Linux)(1)up5.6.3 TRT ›