[192474] in North American Network Operators' Group
RE: IPv6 automatic reverse DNS
daemon@ATHENA.MIT.EDU (White, Andrew)
Fri Oct 28 23:03:57 2016
X-Original-To: nanog@nanog.org
From: "White, Andrew" <Andrew.White2@charter.com>
To: Steve Atkins <steve@blighty.com>, NANOG list <nanog@nanog.org>
Date: Sat, 29 Oct 2016 03:03:54 +0000
In-Reply-To: <7987F35C-1D05-49C1-BB38-1CAD7788D180@blighty.com>
Errors-To: nanog-bounces@nanog.org
There are two competing drafts for synthetic rule-based PTR responses for I=
Pv6 rDNS:
Howard Lee, Time Warner Cable (now Charter)
https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
J. Woodworth, CenturyLink
https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
Nominum and Xerocole/Akamai also have proprietary solutions to this in thei=
r Vantio AuthServ and AuthX products, respectively.
It seems to me that it is still an open question whether the recommendation=
s in RFC-1912 that any IP address that accesses the Internet should have a =
PTR and matching forward record. My personal thoughts are that the best sol=
ution would be an OPTIONAL standards-based method of generating DNS respons=
es based on a ruleset if a specific zone record is not present, and that im=
plementation of that requirement should be left to the developers of the au=
th nameserver software.
Andrew
Caveat: These thoughts are mine personally and do not represent any officia=
l position of Charter Communications.
=1B$B&+&G=1B(Bdr=1B$B'V=1B(Bw Whi=1B$B'd'V=1B(B
Charter Network Operations - DAS DNS
Desk: 314-394-9594 ? Cell: 314-452-4386
andrew.white2@charter.com
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Steve Atkins
Sent: Friday, October 28, 2016 6:29 PM
To: NANOG list
Subject: Re: IPv6 automatic reverse DNS
> On Oct 28, 2016, at 4:02 PM, Baldur Norddahl <baldur.norddahl@gmail.com> =
wrote:
>=20
> Hello
>=20
> Many service providers have IPv4 reverse DNS for all their IP addresses. =
If nothing is more relevant, this will often just be the IPv4 address hashe=
d somehow and tagged to the ISP domain name. For some arcane reason it is i=
mportant to have the forward DNS match the reverse DNS or some mail servers=
might reject your mails.
>=20
> However with IPv6 it is not practical to build such a complete reverse DN=
S zone. You could do a star entry but that would fail the reverse/forward m=
atch test.
>=20
> It should be simple to build a DNS server that will automatically generat=
e a hostname value for every reverse lookup received, and also be able to p=
arse that hostname value to return the correct IPv6 address on forward look=
ups.
>=20
> Does any DNS server have that feature?
It's easy enough to implement with plugins on some servers.
> Should we have it?
Meh.
> Why not?
Because having an automatically generated reverse DNS is a sign that the IP=
address is not really intended to be offering public services, rather it's=
a malware-infested end user machine.
>=20
> I know of some arguments for:
>=20
> 1a) mail servers like it
... because it's a sign that the mail is coming from a real mailserver conf=
igured by a competent admin, rather than being a random compromised machine=
. That's not the case if you're just synthesizing reverse DNS for arbitrary=
IP addresses on your network.
>=20
> 1b) anti spam filters believe in the magic of checking forward/reverse ma=
tch.
For the same reason as above. Spam filters are also often smart enough to r=
ecognize, and treat as dubious, synthesized reverse DNS.
If you have synthesized reverse DNS on your smarthost you're likely to have=
a bad time, perhaps initially, perhaps the first time someone notices bad =
mail coming from it and doesn't recognize it as a legitimate smarthost.
>=20
> 2) traceroute will be nicer
Most of those hosts a traceroute goes through should hopefully have stable =
IP addresses and meaningful, not synthesized, reverse DNS, I'd think. Consu=
mer endpoints are the only ones where you might expect that not to be the c=
ase and synthesized reverse DNS might be an improvement there.
>=20
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that wa=
s what got me going on this post)
>=20
> 4) Output from "who" command on Unix will look nicer (maybe).
>=20
> Regards,
>=20
> Baldur
Cheers,
Steve
