On Sat, 1 Nov 2014, John Levine wrote:
I entirely agree ... the fact that reverse DNS works as a heuristic (and
not an especially key heuristic) for IPv4 is not a reason for the
considerable effort required to try and make it work as a an equally
flawed heuristic on IPv6.
There is a heuristic that says any host which is intended to act as a
server visible to hosts on the public Internet should have matching
forward and reverse DNS. (It does not say the converse; the presence
of DNS doesn't mean a host is good, the absence means it's bad.) This
seems to me to be perfectly relevant in IPv6.
Which at the current deployment levels, is only valid for IPv4, not
IPv6. Yet the anti-spammers have adopted it for IPv6.
A rather significant difference between v4 and v6 is that you can
create static generic rDNS for even a fairly large v4 allocation using
something like $GENERATE, and it's well within the abilities of normal
name servers to handle it. For v6, you need a stunt server or other
kludge, with the kludges getting pretty intense if you want DNSSEC to
work. So let's not bother. Yes, we have ways for hosts to install
DNS entries for the addresses they're using, but they're not widely
adopted, and I have bad feelings about their security characteristics.
Are you saying now that the IPv6 reverse checks should be dropped? I'm
confused.
Beside the cost of creating the data and fetching it, there's the cost
of caching it when people change the IP for every email sending attempt
Although I think I was one of the first people to propose that, I still
think that anyone who sends mail that way deserves what they get.
Anti-spam measures should make it harder for spammers to send email, not
for legitimate users. While there are trade-offs the current deployment
of IPv6 is such that people are currently very limited in options to
obtain native v6, and it often comes without reverse.
If we want secure decentralised email, we should work on making it
easier for people to run their own mailservers, not harder. Currently,
the anti-spammers are causing a "I gave up and use gmail" wave of users.
Really. There is one ISP in Canada offering native v6, and it does not
come with delegations for reverse. I'm pretty sure Canada is not an
isolated case. Blocking all IPv6 without reverse on smtp is simply an
out of proportion meassure causing more harm than good.
Doubly ironic since my email goes out with DKIM and is DNSSEC signed, you
really don't need the reverse to check the validity of my email. Yes it
will increase the load on your email server when you cannot blanket-block
most of IPv6 outside the core. But is it really that prohibitive that
you cannot afford to chain your anti-spam meassures appropriately and
put DKIM before reverse DNS checks that are known to come with a high
false positive rate?
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
