Re: [anti-abuse-wg] Reverse DNS delegations
On Mon 08/Apr/2024 12:19:15 +0200 Gert Doering wrote: On Mon, Apr 08, 2024 at 12:10:57PM +0200, Alessandro Vesely wrote: Delegations don't seem to be generated from the database. How is that supposed to work? They are, but maybe not for the highest level. Like, 8.0.6.0.1.0.0.2.ip6.arpa - that's our space, 2001:608::/32, and the reverse DNS delegation was done (back then, in August 2002) via the DB entry, and I'm assured it still works that way. Yup, that matches: $ dig 8.0.6.0.1.0.0.2.ip6.arpa ns ; <<>> DiG 9.18.24-1-Debian <<>> 8.0.6.0.1.0.0.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26275 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f5890ae0f4d0b45601006613c858ab439750be740ddf (good) ;; QUESTION SECTION: ;8.0.6.0.1.0.0.2.ip6.arpa. IN NS ;; ANSWER SECTION: 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns4.dns.space.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns.ripe.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns.space.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns3.dns.space.net. ... $ whois -h whois.ripe.net -T domain -d 2001:608:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '8.0.6.0.1.0.0.2.ip6.arpa' domain: 8.0.6.0.1.0.0.2.ip6.arpa descr: SpaceNET IPv6 Space, reverse delegation (new style) admin-c:SVB tech-c: SPCN-RIPE zone-c: SPCN-RIPE nserver:ns.ripe.net nserver:ns.space.net nserver:ns3.dns.space.net nserver:ns4.dns.space.net mnt-by: SPACENET-N created:2002-08-19T13:31:57Z last-modified: 2016-12-07T21:11:25Z source: RIPE ... Thanks Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sun 07/Apr/2024 20:33:28 +0200 Gert Doering wrote: On Sun, Apr 07, 2024 at 01:44:45PM -0400, John Levine wrote: If you care about rDNS, you need to find a better ISP that meets your needs. Then tell the old one why you left. That seems to be a problem in Italy these days - few ISPs offer IPv6 at all, so finding one that does IPv6 *and* rDNS seems hard. (In Germany, there's competition on the ISP market, but I'm not sure there are many that actually delegegate out /48s - and I'm not sure how many of those that do provide reverse DNS actually permit customers to put in records of their choice, and not just auto-generated PTRs) I counted 2101 lines in the Italian LIRs page[*] and 4302 in the German one[†] (including ~20 lines of header/ footer). Unfortunately, those lists say nothing about what kind of services each ISP does. I wonder if filling those tables with attributes that would be useful to prospect customers is something that RIPE members want RIPE to do... Best Ale -- [*] https://www.ripe.net/membership/indices/IT.html [†] https://www.ripe.net/membership/indices/DE.html -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
Hi, On Mon, Apr 08, 2024 at 12:10:57PM +0200, Alessandro Vesely wrote: > Thanks, that apparently works. However, -T domain -d 2a02:: finds > 0.0.0.0.2.0.a.2.ip6.arpa. It seems to prepend a variable number of zeroes > and cite the wrong name servers (see queries below). Shouldn't it find > 2.0.a.2.ip6.arpa? That domain exists, although it has no name servers. 0.a.2.ip6.arpa is the RIPE's "top level" reverse zone, and I would assume that these need to be entered manually into the DNS system (because it's not "a child zone of an existing zone"). Like you need to add your IP blocks to your IPAM, to be able to allocate a subnet from it. So 0.0.0.0.2.0.a.2.ip6.arpa seems to be the first "customer" DNS delegation from there. > The parent zone, 0.a.2.ip6.arpa, has lots of international NSes, none of > which matches the ones returned by the database queries. > > Delegations don't seem to be generated from the database. How is that > supposed to work? They are, but maybe not for the highest level. Like, 8.0.6.0.1.0.0.2.ip6.arpa - that's our space, 2001:608::/32, and the reverse DNS delegation was done (back then, in August 2002) via the DB entry, and I'm assured it still works that way. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sun 07/Apr/2024 16:47:37 +0200 Semisol via anti-abuse-wg wrote: On 7.04.2024 15:42, Alessandro Vesely wrote: BTW, how should one search DB objects like 2.0.a.2.ip6.arpa? I can search it in the DNS but not in https://apps.db.ripe.net/db-web-ui/query -T domain -d I believe you can also use the more/less specific flags with that query but I didn't try. Thanks, that apparently works. However, -T domain -d 2a02:: finds 0.0.0.0.2.0.a.2.ip6.arpa. It seems to prepend a variable number of zeroes and cite the wrong name servers (see queries below). Shouldn't it find 2.0.a.2.ip6.arpa? That domain exists, although it has no name servers. The parent zone, 0.a.2.ip6.arpa, has lots of international NSes, none of which matches the ones returned by the database queries. Delegations don't seem to be generated from the database. How is that supposed to work? - queries - $ whois -h whois.ripe.net -T domain -d 2a02:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0.2.0.a.2.ip6.arpa' domain: 0.0.0.0.2.0.a.2.ip6.arpa descr: IPv6 reverse delegation SES nserver:isrvdns1.astra-net.com nserver:isrvdns2.astra-net.com nserver:isrvdns3.astra-net.com ... $ dig 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to ::1#53: timed out ... $ dig @isrvdns1.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 212.56.224.20#53: timed out ;; communications error to 212.56.224.20#53: timed out ;; communications error to 212.56.224.20#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns1.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig @isrvdns2.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 212.56.224.21#53: timed out ;; communications error to 212.56.224.21#53: timed out ;; communications error to 212.56.224.21#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns2.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig @isrvdns3.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 213.169.107.4#53: timed out ;; communications error to 213.169.107.4#53: timed out ;; communications error to 213.169.107.4#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns3.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig 0.a.2.ip6.arpa ns ; <<>> DiG 9.18.24-1-Debian <<>> 0.a.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32256 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: b9ca8f96dd329dbf01006613bf18d99a4c9d9cbff52a (good) ;; QUESTION SECTION: ;0.a.2.ip6.arpa.IN NS ;; ANSWER SECTION: 0.a.2.ip6.arpa. 78819 IN NS ns3.lacnic.net. 0.a.2.ip6.arpa. 78819 IN NS ns4.apnic.net. 0.a.2.ip6.arpa. 78819 IN NS rirns.arin.net. 0.a.2.ip6.arpa. 78819 IN NS ns3.afrinic.net. 0.a.2.ip6.arpa. 78819 IN NS pri.authdns.ripe.net. ... $ whois -h whois.ripe.net -T domain -d 2a00:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0.a.2.ip6.arpa' domain: 0.0.0.0.a.2.ip6.arpa descr: Arcor AG & Co. KG org:ORG-MAT1-RIPE admin-c:ANOC1-RIPE tech-c: ANOC1-RIPE zone-c: ANOC1-RIPE nserver:ns1.arcor-ip.de nserver:ns2.arcor-ip.de nserver:ns3.arcor-ip.de created:2006-03-14T11:25:21Z last-modified: 2016-11-07T14:07:33Z source: RIPE mnt-by: ARCOR-MNT remarks:Unmaintained reverse domain object. remarks:Address prefix maintainer(s) added by RIPE NCC. remarks:For more information see: remarks:http://www.ripe.net/db/support/security/domain/syntax.html Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
Hi, On Sun, Apr 07, 2024 at 01:44:45PM -0400, John Levine wrote: > If you care about rDNS, you need to find a better ISP that meets your > needs. Then tell the old one why you left. That seems to be a problem in Italy these days - few ISPs offer IPv6 at all, so finding one that does IPv6 *and* rDNS seems hard. (In Germany, there's competition on the ISP market, but I'm not sure there are many that actually delegegate out /48s - and I'm not sure how many of those that do provide reverse DNS actually permit customers to put in records of their choice, and not just auto-generated PTRs) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
It appears that Alessandro Vesely said: >On Sat 06/Apr/2024 19:54:27 +0200 Randy Bush wrote: > Why isn't it possible to gain a delegation by proving number > assignment? Because your ISP can't be bothered. >>> Is such unbotherability legitimate? >RIPE could at least reproach those LIRs that have an inet6num but no rDNS >delegation to it. RIPE does what its members want it to do. If they don't care about rDNS, so be it. If you care about rDNS, you need to find a better ISP that meets your needs. Then tell the old one why you left. R's, John -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On 7.04.2024 15:42, Alessandro Vesely wrote: BTW, how should one search DB objects like 2.0.a.2.ip6.arpa? I can search it in the DNS but not in https://apps.db.ripe.net/db-web-ui/query -T domain -d I believe you can also use the more/less specific flags with that query but I didn't try. -- Best regards, Semisol -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sat 06/Apr/2024 19:54:27 +0200 Randy Bush wrote: Why isn't it possible to gain a delegation by proving number assignment? Because your ISP can't be bothered. Is such unbotherability legitimate? these years, it is one of the things when considering a provider from which one gets address space. part of the problem is that this used not to be the case. "rdns is not really useful" was the common thought. so many isps did not pay it much attention. now, more and more services are using rdns mapping to defend against crapola. so it has become useful, and quite needed in some cases. but it is notalways easy to justify to management the costs of cleaning it up, often involving your provider, sometimes your provider's provider, and on up the chain. RIPE could at least reproach those LIRs that have an inet6num but no rDNS delegation to it. BTW, how should one search DB objects like 2.0.a.2.ip6.arpa? I can search it in the DNS but not in https://apps.db.ripe.net/db-web-ui/query Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
>>> Why isn't it possible to gain a delegation by proving number >>> assignment? >> Because your ISP can't be bothered. > Is such unbotherability legitimate? these years, it is one of the things when considering a provider from which one gets address space. part of the problem is that this used not to be the case. "rdns is not really useful" was the common thought. so many isps did not pay it much attention. now, more and more services are using rdns mapping to defend against crapola. so it has become useful, and quite needed in some cases. but it is notalways easy to justify to management the costs of cleaning it up, often involving your provider, sometimes your provider's provider, and on up the chain. i have three /48s from an upstream. rdns is delegated, whew! but they are not dnssec signing. this has yet to cause pain, but i expect it will somewhere down the road. randy -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sat 06/Apr/2024 17:23:27 +0200 Gert Doering wrote: On Sat, Apr 06, 2024 at 11:52:45AM +0200, Alessandro Vesely wrote: On Fri 05/Apr/2024 20:19:59 +0200 John Levine wrote: It appears that Alessandro Vesely said: Why isn't it possible to gain a delegation by proving number assignment? Because your ISP can't be bothered. Is such unbotherability legitimate? There's no law against bad customer service... usually the market will eventually fix this (as in "some other ISP will offer IPv6 and proper reverse DNS"). For reasons not clear to me, Italian ISPs do take their time in rolling out IPv6... so maybe a bit more patience will get you there. That's right. Big ISPs play big ads, but only serve mass users. Small ISPs exist, but are hard to find and don't properly advertise what services they do. (This said, sending mails over IPv6 is a bit of hit and miss anyway, with Google inventing new requirements on IPv6 connections that are not there for IPv4...) I'm trying to use IPv6 only when there's no IPv4, but at times a DNS delay can make the server make the wrong choice... Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
Hi, On Sat, Apr 06, 2024 at 11:52:45AM +0200, Alessandro Vesely wrote: > On Fri 05/Apr/2024 20:19:59 +0200 John Levine wrote: > > It appears that Alessandro Vesely said: > > > Why isn't it possible to gain a delegation by proving number assignment? > > > > Because your ISP can't be bothered. > > Is such unbotherability legitimate? There's no law against bad customer service... usually the market will eventually fix this (as in "some other ISP will offer IPv6 and proper reverse DNS"). For reasons not clear to me, Italian ISPs do take their time in rolling out IPv6... so maybe a bit more patience will get you there. (This said, sending mails over IPv6 is a bit of hit and miss anyway, with Google inventing new requirements on IPv6 connections that are not there for IPv4...) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Fri 05/Apr/2024 20:19:59 +0200 John Levine wrote: It appears that Alessandro Vesely said: Why isn't it possible to gain a delegation by proving number assignment? Because your ISP can't be bothered. Is such unbotherability legitimate? I appreciate the fact that my provider endowed me with a bunch of IPv6 addresses. Previous ISPs couldn't put up with it. However, to have addresses and not being able to use them is not much of an advancement. Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
It appears that Alessandro Vesely said: >Why isn't it possible to gain a delegation by proving number assignment? Because your ISP can't be bothered. I have a free /48 from Hurricane and they delegated the rDNS as part of the setup so it's not like it's unusual or difficult. Delegating IPv6 rDNS is much easier than IPv4 because the delegation point is always between two labels in the rDNS, no funky CNAMEs needed. As you have noticed, you won't have much success sending mail from a host without rDNS. R's, John -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
It depends on the LIR – some let you, some don’t. And no, you don’t own the IPs – the LIR does -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Alessandro Vesely Date: Friday, 5 April 2024 at 16:24 To: Michele Neylon - Blacknight , anti-abuse-wg Subject: Re: [anti-abuse-wg] Reverse DNS delegations [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. On Fri 05/Apr/2024 14:41:01 +0200 Michele Neylon - Blacknight via anti-abuse-wg wrote: > Have you asked them to setup PTR records? I did so for IPv4. They're unable to delegate but can set PTRs. For IPv6, they don't have delegation for their own range, so cannot possibly resolve mine. > We usually do it for our clients, so I’ve no idea how others handle it Why can't users of a given range set up their own delegation? I know it should be hierarchical, but in case RIPE did not delegate anything (found SOA 0.a.2.ip6.arpa. dns.ripe.net) couldn't they delegate directly after proof of "ownership"? Best Ale > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > https://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > --- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > > I have sent this email at a time that is convenient for me. I do not expect > you to respond to it outside of your usual working hours. > > > From: anti-abuse-wg on behalf of Alessandro > Vesely > Date: Friday, 5 April 2024 at 13:01 > To: anti-abuse-wg > Subject: [anti-abuse-wg] Reverse DNS delegations > [EXTERNAL EMAIL] Please use caution when opening attachments from > unrecognised sources. > > Hi all, > > what's the policy for reverse delegation? My provider assigned me a > 2a02:29e1:500:6c00::/56. Great. However they didn't delegate reverse DNS. > Indeed, their own 2a02:29e1::/32 has no delegations: > > ; <<>> DiG 9.18.24-1-Debian <<>> 1.e.9.2.2.0.a.2.ip6.arpa ns > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19800 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: cad8ae482b0e559c0100660fe49763aa815e05fda159 (good) > ;; QUESTION SECTION: > ;1.e.9.2.2.0.a.2.ip6.arpa. IN NS > > ;; AUTHORITY SECTION: > 0.a.2.ip6.arpa. 3600IN SOA pri.authdns.ripe.net. > dns.ripe.net. 1712314758 3600 600 864000 3600 > > > Now there are mail servers which reject mail if they don't find a matching > PTR: > ><<< 554 resimta-c2p-559421.sys.comcast.net > resimta-c2p-559421.sys.comcast.net 2a02:29e1:500:6c00::4 Comcast requires > that all mail servers must have a PTR record with a valid Reverse DNS entry. > Currently your mail server does not fill that requirement. For more > information, refer to: https://postmaster.comcast.net/smtp-error-codes.php#554 > > > Why isn't it possible to gain a delegation by proving number assignment? > > > Best > Ale > -- > > > > > > > > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg > > -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Fri 05/Apr/2024 14:41:01 +0200 Michele Neylon - Blacknight via anti-abuse-wg wrote: Have you asked them to setup PTR records? I did so for IPv4. They're unable to delegate but can set PTRs. For IPv6, they don't have delegation for their own range, so cannot possibly resolve mine. We usually do it for our clients, so I’ve no idea how others handle it Why can't users of a given range set up their own delegation? I know it should be hierarchical, but in case RIPE did not delegate anything (found SOA 0.a.2.ip6.arpa. dns.ripe.net) couldn't they delegate directly after proof of "ownership"? Best Ale -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: anti-abuse-wg on behalf of Alessandro Vesely Date: Friday, 5 April 2024 at 13:01 To: anti-abuse-wg Subject: [anti-abuse-wg] Reverse DNS delegations [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Hi all, what's the policy for reverse delegation? My provider assigned me a 2a02:29e1:500:6c00::/56. Great. However they didn't delegate reverse DNS. Indeed, their own 2a02:29e1::/32 has no delegations: ; <<>> DiG 9.18.24-1-Debian <<>> 1.e.9.2.2.0.a.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19800 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: cad8ae482b0e559c0100660fe49763aa815e05fda159 (good) ;; QUESTION SECTION: ;1.e.9.2.2.0.a.2.ip6.arpa. IN NS ;; AUTHORITY SECTION: 0.a.2.ip6.arpa. 3600IN SOA pri.authdns.ripe.net. dns.ripe.net. 1712314758 3600 600 864000 3600 Now there are mail servers which reject mail if they don't find a matching PTR: <<< 554 resimta-c2p-559421.sys.comcast.net resimta-c2p-559421.sys.comcast.net 2a02:29e1:500:6c00::4 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: https://postmaster.comcast.net/smtp-error-codes.php#554 Why isn't it possible to gain a delegation by proving number assignment? Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
Have you asked them to setup PTR records? We usually do it for our clients, so I’ve no idea how others handle it -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: anti-abuse-wg on behalf of Alessandro Vesely Date: Friday, 5 April 2024 at 13:01 To: anti-abuse-wg Subject: [anti-abuse-wg] Reverse DNS delegations [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Hi all, what's the policy for reverse delegation? My provider assigned me a 2a02:29e1:500:6c00::/56. Great. However they didn't delegate reverse DNS. Indeed, their own 2a02:29e1::/32 has no delegations: ; <<>> DiG 9.18.24-1-Debian <<>> 1.e.9.2.2.0.a.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19800 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: cad8ae482b0e559c0100660fe49763aa815e05fda159 (good) ;; QUESTION SECTION: ;1.e.9.2.2.0.a.2.ip6.arpa. IN NS ;; AUTHORITY SECTION: 0.a.2.ip6.arpa. 3600IN SOA pri.authdns.ripe.net. dns.ripe.net. 1712314758 3600 600 864000 3600 Now there are mail servers which reject mail if they don't find a matching PTR: <<< 554 resimta-c2p-559421.sys.comcast.net resimta-c2p-559421.sys.comcast.net 2a02:29e1:500:6c00::4 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: https://postmaster.comcast.net/smtp-error-codes.php#554 Why isn't it possible to gain a delegation by proving number assignment? Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Reverse DNS delegations
Hi all, what's the policy for reverse delegation? My provider assigned me a 2a02:29e1:500:6c00::/56. Great. However they didn't delegate reverse DNS. Indeed, their own 2a02:29e1::/32 has no delegations: ; <<>> DiG 9.18.24-1-Debian <<>> 1.e.9.2.2.0.a.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19800 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: cad8ae482b0e559c0100660fe49763aa815e05fda159 (good) ;; QUESTION SECTION: ;1.e.9.2.2.0.a.2.ip6.arpa. IN NS ;; AUTHORITY SECTION: 0.a.2.ip6.arpa. 3600IN SOA pri.authdns.ripe.net. dns.ripe.net. 1712314758 3600 600 864000 3600 Now there are mail servers which reject mail if they don't find a matching PTR: <<< 554 resimta-c2p-559421.sys.comcast.net resimta-c2p-559421.sys.comcast.net 2a02:29e1:500:6c00::4 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: https://postmaster.comcast.net/smtp-error-codes.php#554 Why isn't it possible to gain a delegation by proving number assignment? Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
