[192456] in North American Network Operators' Group
Re: IPv6 automatic reverse DNS
daemon@ATHENA.MIT.EDU (Steve Atkins)
Fri Oct 28 19:28:49 2016
X-Original-To: nanog@nanog.org
From: Steve Atkins <steve@blighty.com>
Date: Fri, 28 Oct 2016 16:28:44 -0700
To: NANOG list <nanog@nanog.org>
In-Reply-To: <83b75e68-92dc-0fd4-3036-18d751f45715@gmail.com>
Errors-To: nanog-bounces@nanog.org
> On Oct 28, 2016, at 4:02 PM, Baldur Norddahl =
<baldur.norddahl@gmail.com> wrote:
>=20
> Hello
>=20
> Many service providers have IPv4 reverse DNS for all their IP =
addresses. If nothing is more relevant, this will often just be the IPv4 =
address hashed somehow and tagged to the ISP domain name. For some =
arcane reason it is important to have the forward DNS match the reverse =
DNS or some mail servers might reject your mails.
>=20
> However with IPv6 it is not practical to build such a complete reverse =
DNS zone. You could do a star entry but that would fail the =
reverse/forward match test.
>=20
> It should be simple to build a DNS server that will automatically =
generate a hostname value for every reverse lookup received, and also be =
able to parse that hostname value to return the correct IPv6 address on =
forward lookups.
>=20
> Does any DNS server have that feature?
It's easy enough to implement with plugins on some servers.
> Should we have it?
Meh.
> Why not?
Because having an automatically generated reverse DNS is a sign that the =
IP address is not really intended to be offering public services, rather =
it's a malware-infested end user machine.
>=20
> I know of some arguments for:
>=20
> 1a) mail servers like it
... because it's a sign that the mail is coming from a real mailserver =
configured by a competent admin, rather than being a random compromised =
machine. That's not the case if you're just synthesizing reverse DNS for =
arbitrary IP addresses on your network.
>=20
> 1b) anti spam filters believe in the magic of checking forward/reverse =
match.
For the same reason as above. Spam filters are also often smart enough =
to recognize, and treat as dubious, synthesized reverse DNS.
If you have synthesized reverse DNS on your smarthost you're likely to =
have a bad time, perhaps initially, perhaps the first time someone =
notices bad mail coming from it and doesn't recognize it as a legitimate =
smarthost.
>=20
> 2) traceroute will be nicer
Most of those hosts a traceroute goes through should hopefully have =
stable IP addresses and meaningful, not synthesized, reverse DNS, I'd =
think. Consumer endpoints are the only ones where you might expect that =
not to be the case and synthesized reverse DNS might be an improvement =
there.
>=20
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that =
was what got me going on this post)
>=20
> 4) Output from "who" command on Unix will look nicer (maybe).
>=20
> Regards,
>=20
> Baldur
Cheers,
Steve
