Automated Delegation of IP6.ARPA reverse zones with Prefix Delegation

CPE generates a RSA key pair and stores this in non-volatile memory. CPE generates DHCPv6 Prefix Delegation request which includes a KEY-RDATA option (code point TBA) which contains a the rdata of a DNS KEY record containing a RSASHA256 key using the public components of the previously generated RSA key pair. DHCP server updates DNS server based on the prefix it is delegating and the KEY-RDATA using TSIG for authentication and responds with prefix. If this is a new prefix delegation it will clear out all the old DNS records as part of the delegation processs. If there are multiple prefixes being delegated the ISP's DNS server will be updated for all of them. The CPE device configures the nameserver built in to it to server the reverse of the delegated prefixes. Alternatively it may configure other nameservers to server these zones however the method to do that is out of scope for this document. CPE device generates DNS UPDATE which delegates the reverse name space to itself and others if they have been configured. The CPE uses SIG(0) to sign the request with owner name matching the reverse of the delegated prefix. The ISP's DNS server is configured to accept self signed requests (the owner name used in the SIG(0) signature matches the owner name of the data to be updated). It examines the request. Looks at the KEY record added by the DHCPv6 server and decides the request is valid.

The UPDATE requests are all signed. This is a proven method for securing UPDATE requests in the DNS. As a RSA key is being used there is no issue with the key material being in the clear. Only the CPE device and the ISP itself is capable of creating, updating or destroying the delegation.