We are rolling out IPv6, and I'm thinking about our DNS strategy. This is not a technical question--it's more of a "best practice" question.
We have Active Directory internally, and the domain controllers handle both the authoritative DNS for our "internal" zones (e.g., domain.local
, 16.172.in-addr.arpa
) as well as recursion for all the users. We have about 1200 users, so the 5 domain controllers easily handle DNS recursion, simply forwarding to Cisco Umbrella DNS for zones they're not authoritative for. We rely heavily on dynamic DNS, both for A and PTR records for internal hosts. For our public zones, we use DNS Made Easy.
Now that we're looking at IPv6, we would like to maintain the ability to use dynamic DNS internally, both for AAAA and PTR records. Since there's no need for NAT in IPv6, a given host will have the same address internally as it does externally. Is maintaining two separate databases for the ip6.arpa zone (an internal one and an external one) still what should be done? The alternative is to put a rule in my firewall that allows the public DNS servers to be a secondary for the ip6.arpa zone. I'm not talking about allowing the Internet at large to query my DCs directly--rather allow the DNS Made Easy transfer agent to keep a copy of it.
Doing this "gives away" all my internal DNS entries, but is that really so terrible?
As I'm typing this, I'm thinking that it probably would be best to just maintain two databases--one internal and one external, as I've always done in the past. What does the community think?