On Thu, Nov 06, 2014 at 08:24:35AM -0700, Paul Ebersman wrote:
> marka> Which won't work in IPv6 unless you syntesize the records on
> marka> demand.
>
> And that's the plan, at least for $DAYJOB. And sign on the fly for those
> of us signing our zones.
I'm going to take the risk of embarrassing myself in public and ask the
stupid thing I've been wondering: Is there a reason not to use wildcard
PTRs?
$ORIGIN 6.7.6.2.7.6.7.0.1.0.0.2.ip6.arpa.
* 604800 IN PTR home-ipv6-customer.isp.net.
This way, a PTR would exist for every address, so broken sshd and similar
daemons will work. It's easy to grep for, so antispam folks should be
content. The wildcard record can be signed, which is trickier to do with
on-demand PTR synthesis. If you want to sell a customer their own PTR
or delegated reverse zone, you still can.
You don't end up with a unique PTR for each address, and you'll get
answers for addresses that aren't in use... but those kind of seem like
features, not bugs. Also, it's cheap.
So, are there technical reasons not to do this, or is it just conceptual
inertia from the use of $GENERATE for v4?
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
