RE: IPv6 automatic reverse DNS

["White, Andrew" <Andrew.White2 () charter com>]

There are two competing drafts for synthetic rule-based PTR responses for IPv6 rDNS:

Howard Lee, Time Warner Cable (now Charter)
https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08

J. Woodworth, CenturyLink
https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/

Nominum and Xerocole/Akamai also have proprietary solutions to this in their Vantio AuthServ and AuthX products, 
respectively.

It seems to me that it is still an open question whether the recommendations in RFC-1912 that any IP address that 
accesses the Internet should have a PTR and matching forward record. My personal thoughts are that the best solution 
would be an OPTIONAL standards-based method of generating DNS responses based on a ruleset if a specific zone record is 
not present, and that implementation of that requirement should be left to the developers of the auth nameserver 
software.

Andrew

Caveat: These thoughts are mine personally and do not represent any official position of Charter Communications.


Ληdrеw Whiте
Charter Network Operations - DAS DNS
Desk: 314-394-9594 ? Cell: 314-452-4386
andrew.white2 () charter com


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Steve Atkins
Sent: Friday, October 28, 2016 6:29 PM
To: NANOG list
Subject: Re: IPv6 automatic reverse DNS


> On Oct 28, 2016, at 4:02 PM, Baldur Norddahl <baldur.norddahl () gmail com> wrote:
>
> Hello
>
> Many service providers have IPv4 reverse DNS for all their IP addresses. If nothing is more relevant, this will often 
> just be the IPv4 address hashed somehow and tagged to the ISP domain name. For some arcane reason it is important to 
> have the forward DNS match the reverse DNS or some mail servers might reject your mails.
>
> However with IPv6 it is not practical to build such a complete reverse DNS zone. You could do a star entry but that 
> would fail the reverse/forward match test.
>
> It should be simple to build a DNS server that will automatically generate a hostname value for every reverse lookup 
> received, and also be able to parse that hostname value to return the correct IPv6 address on forward lookups.
>
> Does any DNS server have that feature?

It's easy enough to implement with plugins on some servers.

> Should we have it?

Meh.

> Why not?

Because having an automatically generated reverse DNS is a sign that the IP address is not really intended to be 
offering public services, rather it's a malware-infested end user machine.

> I know of some arguments for:
>
> 1a) mail servers like it

... because it's a sign that the mail is coming from a real mailserver configured by a competent admin, rather than 
being a random compromised machine. That's not the case if you're just synthesizing reverse DNS for arbitrary IP 
addresses on your network.

> 1b) anti spam filters believe in the magic of checking forward/reverse match.

For the same reason as above. Spam filters are also often smart enough to recognize, and treat as dubious, synthesized 
reverse DNS.

If you have synthesized reverse DNS on your smarthost you're likely to have a bad time, perhaps initially, perhaps the 
first time someone notices bad mail coming from it and doesn't recognize it as a legitimate smarthost.

> 2) traceroute will be nicer

Most of those hosts a traceroute goes through should hopefully have stable IP addresses and meaningful, not 
synthesized, reverse DNS, I'd think. Consumer endpoints are the only ones where you might expect that not to be the 
case and synthesized reverse DNS might be an improvement there.

> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that was what got me going on this post)
>
> 4) Output from "who" command on Unix will look nicer (maybe).
>
> Regards,
>
> Baldur

Cheers,
  Steve