Decisions about DNS on IPv6
Solution 1:
This is a best practices question with no real right answers, but these are the questions I would ask myself to arrive at the answer right for me.
Doing this "gives away" all my internal DNS entries, but is that really so terrible?
If your boss doesn't think it's terrible, and you don't think it's terrible, then you have your answer. IPv6 takes much longer to crawl than IPv4, but it can still be crawled. If you don't care whether a DNS lookup for 2001:db8::1 yields YourFinancialServer.Example.com and no one in your management chain seems to care either, you can manage all of your IPv6 reverse DNS with your edge facing DNS authority and call it a day.
Is maintaining two separate databases for the ip6.arpa zone (an internal one and an external one) still what should be done?
This is decided by the previous question. If it is what should be done, the next step is determining the logical separation of your privately routed networks.
- In an ideal world, your network team has cleanly carved out segments of IPv6 space that are not internet routable, which you can use to drive the design behind how you split up the reverse DNS between your authoritative servers. You can set up forwarders on your internally facing recursive servers to steer the reverse requests for privately routed V6 space to your internal authority, and let recursion send the rest of the requests to your internet facing authority as normal.
- In a less than ideal world, your IPv6 space is in a state of design flux with no rules of clear division between public and private. In the worst case your addresses are piece mealed between public and private by a firewall without being divided into cleanly purposed networks. This makes the forwarding rules for your recursive servers difficult (nearing impossible) to manage, and you might have to manage two completely different versions of the same authoritative zones between public and private. This will get inconsistent very quickly without clean automation to remove records as your devices are retired.