RE: IPv6 automatic reverse DNS

[Woodworth, John R]

> Hi John,
>
> Thanks for the info and background.
>
> One operational suggestion I have is … why link synthesis rules to a
> specific DNS zone?
>
> Most larger operators of auth DNS use an IP management tool, like BT
> Diamond IPAM, BlueCat, or Infoblox. Oftentimes, allocations of IP space
> will not be on classful boundaries, yet most often reverse DNS zones
> are on classful boundaries.
>
> What may be more operationally useful would be an (optional) feature
> in auth DNS software that would process an incoming PTR request as
> follows:
>
> 1. Answer the PTR with an entry in the corresponding ip6.arpa
> or in-addr.arpa zone file if the PTR exists
> 2. Otherwise, examine a rule set of synthetic PTR responses and
> answer by the rule set (e.g. 10.0.0.128 matches rule for
> “10.0.0.128/27” and returns PTR of 10-0-0-128.dhcp.example.com.)
> 3. Otherwise, return NXDOMAIN or NOANSWER/NOERROR as appropriate
>
> Such a ruleset could apply to forward zones as well to create the
> matching forward lookup.
> Just my two cents!  Caveat: personal opinion and not the official
> position of Charter.

Andrew,

Excellent question.  Out of necessity we have an in-house federated
solution for DNS/DHCP/IP/etc. which solves part of the problem.
However, not all data can be managed this way; some more tech-savvy
customers expect to manage their own data and transfer it directly
to our nameservers for the higher availability, lower latency,
tighter security, etc.  This then becomes a shared burden at the
zone level where, from our perspective, the intent should be easily
transferable.  I suspect if/when the draft is adopted, other IP
management tools may offer the capability of automatically
generating the associated "BULK" resource records for the various
DNS zones allowing for better interoperability (i.e. "transferability").

One of the draft's features I am most proud of is the concept of
superimposed records.  This can scale to really huge levels where
for example: the RIR could provide patterns for all unclaimed records
under "10.in-addr.arpa." which could be overridden by more specific
patterns for records under "255.0.10.in-addr.arpa."  The DNS ownership
now follows the intent of the expected DNS zone owner.  If one
follows this logic through the ipv6 tree, this concept of ownership
becomes even more pronounced.

I guess in short, the answer is to maintain the concept of zone
ownership :)


Thanks,
John Woodworth

> Andrew
>
>
> Ληdrеw Whiте
> Charter Network Operations - DAS DNS
> Desk: 314-394-9594 - Cell: 314-452-4386
> andrew.whi...@charter.com
>

-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

RE: IPv6 automatic reverse DNS

[Woodworth, John R]

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of White, Andrew
>
> There are two competing drafts for synthetic rule-based PTR responses
> for IPv6 rDNS:
>
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
>
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
>
> Nominum and Xerocole/Akamai also have proprietary solutions to this
> in their Vantio AuthServ and AuthX products, respectively.
>
> It seems to me that it is still an open question whether the
> recommendations in RFC-1912 that any IP address that accesses the
> Internet should have a PTR and matching forward record. My personal
> thoughts are that the best solution would be an OPTIONAL standards-based
> method of generating DNS responses based on a ruleset if a specific zone
> record is not present, and that implementation of that requirement
> should be left to the developers of the auth nameserver software.

Greetings Andrew,

I am new to the group but one of the authors referenced above.  My
colleagues and I are glad to see the discussion around this issue
see some recent movement.

As indicated by one of our esteemed WG chairs elsewhere in this thread,
I am currently working to provide additional clarity for some of the
more difficult concepts in the draft and have not yet requested the
next step.  Once these changes are complete we will enthusiastically
move forward with this request.

As I am new to this forum, for the moment I wanted to simply state:
synthesized records based on the proposed "bulk rr" method can
_only_exist_where_zone_records_do_not_already_.  One critical goal of
the draft is to make the "intent" of synthesized records easy to
transfer between nameservers in authoritative roles.  Examples for
implementing the draft using fairly straightforward regex
manipulation are included but are more of a guideline for making
the pattern substitution easier for the implementor and provide
a reference for the accompanying examples.  Ultimately, as you
recommend, the auth nameserver software vendor would be free to
provide their own pattern substitution logic (so long as the
intent is not lost).

DNSSEC for synthesized records also poses its own obvious set of…
complications for which we've outlined a number of solutions to
help satisfy this challenge.

Admittedly, it is a bit of a hefty read but we would love the
feedback (directly or in the IETF DNSOP mailing list of course).


Thanks,
John Woodworth


>
> Andrew
>
> Caveat: These thoughts are mine personally and do not represent
> any official position of Charter Communications.
>
>
> Ληdrеw Whiте
> Charter Network Operations - DAS DNS
> Desk: 314-394-9594 ? Cell: 314-452-4386
> andrew.whi...@charter.com
>

-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

RE: IPv6 automatic reverse DNS

[White, Andrew]

Hi John,

Thanks for the info and background.

One operational suggestion I have is … why link synthesis rules to a specific 
DNS zone?

Most larger operators of auth DNS use an IP management tool, like BT Diamond 
IPAM, BlueCat, or Infoblox. Oftentimes, allocations of IP space will not be on 
classful boundaries, yet most often reverse DNS zones are on classful 
boundaries.

What may be more operationally useful would be an (optional) feature in auth 
DNS software that would process an incoming PTR request as follows:


1.   Answer the PTR with an entry in the corresponding ip6.arpa or 
in-addr.arpa zone file if the PTR exists

2.   Otherwise, examine a rule set of synthetic PTR responses and answer by 
the rule set (e.g. 10.0.0.128 matches rule for “10.0.0.128/27” and returns PTR 
of 10-0-0-128.dhcp.example.com.)

3.   Otherwise, return NXDOMAIN or NOANSWER/NOERROR as appropriate

Such a ruleset could apply to forward zones as well to create the matching 
forward lookup.

Just my two cents!  Caveat: personal opinion and not the official position of 
Charter.

Andrew


Ληdrеw Whiте
Charter Network Operations - DAS DNS
Desk: 314-394-9594 - Cell: 314-452-4386
andrew.whi...@charter.com<mailto:andrew.whi...@charter.com>

From: Woodworth, John R [mailto:john.woodwo...@centurylink.com]
Sent: Monday, October 31, 2016 11:04 PM
To: White, Andrew; 'nanog@nanog.org'
Cc: Ballew, Dean; Woodworth, John R
Subject: RE: IPv6 automatic reverse DNS

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of White, Andrew
>
> There are two competing drafts for synthetic rule-based PTR responses
> for IPv6 rDNS:
>
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
>
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
>
> Nominum and Xerocole/Akamai also have proprietary solutions to this
> in their Vantio AuthServ and AuthX products, respectively.
>
> It seems to me that it is still an open question whether the
> recommendations in RFC-1912 that any IP address that accesses the
> Internet should have a PTR and matching forward record. My personal
> thoughts are that the best solution would be an OPTIONAL standards-based
> method of generating DNS responses based on a ruleset if a specific zone
> record is not present, and that implementation of that requirement
> should be left to the developers of the auth nameserver software.

Greetings Andrew,

I am new to the group but one of the authors referenced above.  My
colleagues and I are glad to see the discussion around this issue
see some recent movement.

As indicated by one of our esteemed WG chairs elsewhere in this thread,
I am currently working to provide additional clarity for some of the
more difficult concepts in the draft and have not yet requested the
next step.  Once these changes are complete we will enthusiastically
move forward with this request.

As I am new to this forum, for the moment I wanted to simply state:
synthesized records based on the proposed "bulk rr" method can
_only_exist_where_zone_records_do_not_already_.  One critical goal of
the draft is to make the "intent" of synthesized records easy to
transfer between nameservers in authoritative roles.  Examples for
implementing the draft using fairly straightforward regex
manipulation are included but are more of a guideline for making
the pattern substitution easier for the implementor and provide
a reference for the accompanying examples.  Ultimately, as you
recommend, the auth nameserver software vendor would be free to
provide their own pattern substitution logic (so long as the
intent is not lost).

DNSSEC for synthesized records also poses its own obvious set of…
complications for which we've outlined a number of solutions to
help satisfy this challenge.

Admittedly, it is a bit of a hefty read but we would love the
feedback (directly or in the IETF DNSOP mailing list of course).


Thanks,
John Woodworth


>
> Andrew
>
> Caveat: These thoughts are mine personally and do not represent
> any official position of Charter Communications.
>
>
> Ληdrеw Whiте
> Charter Network Operations - DAS DNS
> Desk: 314-394-9594 ? Cell: 314-452-4386
> andrew.whi...@charter.com<mailto:andrew.whi...@charter.com>
>

-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

Re: IPv6 automatic reverse DNS

[Suzanne Woolf]

Hi Wes,

> On Oct 29, 2016, at 8:40 AM, Wesley George  wrote:
> 
> 
>> On Oct 28, 2016, at 11:03 PM, White, Andrew  
>> wrote:
>> 
>> There are two competing drafts for synthetic rule-based PTR responses for 
>> IPv6 rDNS:
>> 
>> Howard Lee, Time Warner Cable (now Charter)
>> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
>> 
>> J. Woodworth, CenturyLink
>> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
>> 
> 
> At the risk of getting into IETF administrivia, a little clarification is 
> important here: The first draft you mention above was replaced by the draft I 
> referenced in my previous email. It is currently an adopted WG draft in 
> DNSOP, moving toward working group last call as a consensus document., thus 
> the window for capturing and incorporating feedback is closing soon. The 
> second document does not appear to be associated with any IETF Working Group 
> yet, but it also isn't competing with the first document. The first draft is 
> informational status, discussing the issues and considerations surrounding 
> this problem, of which generating on-the-fly reverse records is one possible 
> solution. The second draft is a proposed standard defining *how* to generate 
> those on-the-fly reverse records assuming one decides that is the right path 
> to take in one's network, and would dovetail nicely via reference to section 
> 2.5 of isp-ip6-rdns.

This is exactly right, and thanks for the clear explanation of arcane IETF 
process….

Comments on https://www.ietf.org/id/draft-ietf-dnsop-isp-ip6rdns-02.txt 
 can go to Lee or 
the WG mailing list, dn...@ietf.org . We’re trying to 
make it useful for operators, so having operators comment is *really* good….

The WG felt quite strongly that the document shouldn’t be prescriptive as far 
as telling people they *should* do this, only some of the considerations about 
doing it if they wish to. 

John Woodworth’s bulk-rr document was discussed in the WG in the last IETF 
meeting (Berlin in July) and got enough interest that John was planning to keep 
working on it. It needs people committed to active review and discussion on it 
to become a WG document, which he hasn’t requested (yet), but if the idea seems 
useful to you, you should tell him.


best,
Suzanne
(DNSOP co-chair, but not speaking for the WG or anyone else….)

RE: IPv6 automatic reverse DNS

[Keith Medcalf]

On Friday, 28 October, 2016 19:37, Steve Atkins  wrote:

> > On Oct 28, 2016, at 6:04 PM, Karl Auer  wrote:

> >> 1b) anti spam filters believe in the magic of checking
> >> forward/reverse match.

> > Someone in this thread said that only malware-infested end-users are
> > behind IP addresses with no reverse lookup. Well - no. As long as we
> > keep telling anyone who isn't running a full-bore commercial network to
> > "consume, be silent, die", we are holding everyone back, including
> > ourselves.

> If you send mail over IPv6 from an address with no reverse DNS you
> will see quite a lot of this sort of thing:

> 550 5.7.1 [*] Our system has detected that this message
> 5.7.1 does not meet IPv6 sending guidelines regarding PTR records and
> 5.7.1 authentication. Please review
> 5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for
> more
> 5.7.1 information.

> > It's fine to use no-reverse-lookup as a component of a spamminess
> > score. It's not OK to use it as proof of spamminess.

> People running large mailservers made that decision some time
> ago. Disagreeing with them won't make them accept your email.

Actually, it was *long* before that.  I think it is STD 1 or STD 2 -- 
requirements for connecting a host to the internet.  All "deliberate" Internet 
hosts performing useful functions should have matching forward and reverse DNS 
and should expect to be labelled as "untrustworthy in the extreme" if they do 
not.  Assigning meaning to the resolved DNS name (embeded parts) is what came 
much later.

RE: IPv6 automatic reverse DNS

[White, Andrew]

Thanks for the clarification, Wes.

Has anyone proposed the method of publishing v6 PTRs on-the-fly as addresses 
are observed passing through an ISP's router?

Andrew


Ληdrеw Whiте
Charter Network Operations - DAS DNS
Desk: 314-394-9594 ? Cell: 314-452-4386
andrew.whi...@charter.com


-Original Message-
From: Wesley George [mailto:wesgeo...@puck.nether.net] 
Sent: Saturday, October 29, 2016 7:41 AM
To: White, Andrew
Cc: Steve Atkins; NANOG list
Subject: Re: IPv6 automatic reverse DNS


> On Oct 28, 2016, at 11:03 PM, White, Andrew  wrote:
> 
> There are two competing drafts for synthetic rule-based PTR responses for 
> IPv6 rDNS:
> 
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
> 
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
> 

At the risk of getting into IETF administrivia, a little clarification is 
important here: The first draft you mention above was replaced by the draft I 
referenced in my previous email. It is currently an adopted WG draft in DNSOP, 
moving toward working group last call as a consensus document., thus the window 
for capturing and incorporating feedback is closing soon. The second document 
does not appear to be associated with any IETF Working Group yet, but it also 
isn't competing with the first document. The first draft is informational 
status, discussing the issues and considerations surrounding this problem, of 
which generating on-the-fly reverse records is one possible solution. The 
second draft is a proposed standard defining *how* to generate those on-the-fly 
reverse records assuming one decides that is the right path to take in one's 
network, and would dovetail nicely via reference to section 2.5 of isp-ip6-rdns.

Wes George

Re: IPv6 automatic reverse DNS

[Wesley George]

> On Oct 28, 2016, at 11:03 PM, White, Andrew  wrote:
> 
> There are two competing drafts for synthetic rule-based PTR responses for 
> IPv6 rDNS:
> 
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
> 
> J. Woodworth, CenturyLink
> https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
> 

At the risk of getting into IETF administrivia, a little clarification is 
important here: The first draft you mention above was replaced by the draft I 
referenced in my previous email. It is currently an adopted WG draft in DNSOP, 
moving toward working group last call as a consensus document., thus the window 
for capturing and incorporating feedback is closing soon. The second document 
does not appear to be associated with any IETF Working Group yet, but it also 
isn't competing with the first document. The first draft is informational 
status, discussing the issues and considerations surrounding this problem, of 
which generating on-the-fly reverse records is one possible solution. The 
second draft is a proposed standard defining *how* to generate those on-the-fly 
reverse records assuming one decides that is the right path to take in one's 
network, and would dovetail nicely via reference to section 2.5 of isp-ip6-rdns.

Wes George



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: IPv6 automatic reverse DNS

[Karl Auer]

On Fri, 2016-10-28 at 18:37 -0700, Steve Atkins wrote:
> > On Oct 28, 2016, at 6:04 PM, Karl Auer 
> > wrote:
> > It's fine to use no-reverse-lookup as a component of a spamminess
> > score. It's not OK to use it as proof of spamminess.
> People running large mailservers made that decision some time
> ago. Disagreeing with them won't make them accept your email.

I didn't say it would. IMHO reverse lookups are excellent and useful.
My only beef is with the idea that the absence of a reverse lookup
entry has any useful meaning any more, or, in particular, is proof of
spamminess.

It would be interesting (and would alter my opinion) to see statistics
of real spamminess positives ("is spam") dropping significantly if
failed reverse lookups are removed from the calculation.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

RE: IPv6 automatic reverse DNS

[White, Andrew]

There are two competing drafts for synthetic rule-based PTR responses for IPv6 
rDNS:

Howard Lee, Time Warner Cable (now Charter)
https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08

J. Woodworth, CenturyLink
https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/

Nominum and Xerocole/Akamai also have proprietary solutions to this in their 
Vantio AuthServ and AuthX products, respectively.

It seems to me that it is still an open question whether the recommendations in 
RFC-1912 that any IP address that accesses the Internet should have a PTR and 
matching forward record. My personal thoughts are that the best solution would 
be an OPTIONAL standards-based method of generating DNS responses based on a 
ruleset if a specific zone record is not present, and that implementation of 
that requirement should be left to the developers of the auth nameserver 
software.

Andrew

Caveat: These thoughts are mine personally and do not represent any official 
position of Charter Communications.


Ληdrеw Whiте
Charter Network Operations - DAS DNS
Desk: 314-394-9594 ? Cell: 314-452-4386
andrew.whi...@charter.com


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Steve Atkins
Sent: Friday, October 28, 2016 6:29 PM
To: NANOG list
Subject: Re: IPv6 automatic reverse DNS


> On Oct 28, 2016, at 4:02 PM, Baldur Norddahl  
> wrote:
> 
> Hello
> 
> Many service providers have IPv4 reverse DNS for all their IP addresses. If 
> nothing is more relevant, this will often just be the IPv4 address hashed 
> somehow and tagged to the ISP domain name. For some arcane reason it is 
> important to have the forward DNS match the reverse DNS or some mail servers 
> might reject your mails.
> 
> However with IPv6 it is not practical to build such a complete reverse DNS 
> zone. You could do a star entry but that would fail the reverse/forward match 
> test.
> 
> It should be simple to build a DNS server that will automatically generate a 
> hostname value for every reverse lookup received, and also be able to parse 
> that hostname value to return the correct IPv6 address on forward lookups.
> 
> Does any DNS server have that feature?

It's easy enough to implement with plugins on some servers.

> Should we have it?

Meh.

> Why not?

Because having an automatically generated reverse DNS is a sign that the IP 
address is not really intended to be offering public services, rather it's a 
malware-infested end user machine.

> 
> I know of some arguments for:
> 
> 1a) mail servers like it

... because it's a sign that the mail is coming from a real mailserver 
configured by a competent admin, rather than being a random compromised 
machine. That's not the case if you're just synthesizing reverse DNS for 
arbitrary IP addresses on your network.

> 
> 1b) anti spam filters believe in the magic of checking forward/reverse match.

For the same reason as above. Spam filters are also often smart enough to 
recognize, and treat as dubious, synthesized reverse DNS.

If you have synthesized reverse DNS on your smarthost you're likely to have a 
bad time, perhaps initially, perhaps the first time someone notices bad mail 
coming from it and doesn't recognize it as a legitimate smarthost.

> 
> 2) traceroute will be nicer

Most of those hosts a traceroute goes through should hopefully have stable IP 
addresses and meaningful, not synthesized, reverse DNS, I'd think. Consumer 
endpoints are the only ones where you might expect that not to be the case and 
synthesized reverse DNS might be an improvement there.

> 
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that was 
> what got me going on this post)
> 
> 4) Output from "who" command on Unix will look nicer (maybe).
> 
> Regards,
> 
> Baldur

Cheers,
  Steve

Re: IPv6 automatic reverse DNS

[Wesley George]

I'd recommend reviewing this document, and contributing as appropriate. I think 
it covers this pretty thoroughly today, but if there are missing 
considerations, now is the time to make sure that feedback is captured.
 https://tools.ietf.org/html/draft-ietf-dnsop-isp-ip6rdns-02 


Wes George


> On Oct 28, 2016, at 7:02 PM, Baldur Norddahl  
> wrote:
> 
> Hello
> 
> Many service providers have IPv4 reverse DNS for all their IP addresses. If 
> nothing is more relevant, this will often just be the IPv4 address hashed 
> somehow and tagged to the ISP domain name. For some arcane reason it is 
> important to have the forward DNS match the reverse DNS or some mail servers 
> might reject your mails.
> 
> However with IPv6 it is not practical to build such a complete reverse DNS 
> zone. You could do a star entry but that would fail the reverse/forward match 
> test.
> 
> It should be simple to build a DNS server that will automatically generate a 
> hostname value for every reverse lookup received, and also be able to parse 
> that hostname value to return the correct IPv6 address on forward lookups.
> 
> Does any DNS server have that feature? Should we have it? Why not?
> 
> I know of some arguments for:
> 
> 1a) mail servers like it
> 
> 1b) anti spam filters believe in the magic of checking forward/reverse match.
> 
> 2) traceroute will be nicer
> 
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that was 
> what got me going on this post)
> 
> 4) Output from "who" command on Unix will look nicer (maybe).
> 
> Regards,
> 
> Baldur



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: IPv6 automatic reverse DNS

[Steve Atkins]

> On Oct 28, 2016, at 6:04 PM, Karl Auer  wrote:
> 
>> 1b) anti spam filters believe in the magic of checking
>> forward/reverse match.
> 
> Someone in this thread said that only malware-infested end-users are
> behind IP addresses with no reverse lookup. Well - no. As long as we
> keep telling anyone who isn't running a full-bore commercial network to
> "consume, be silent, die", we are holding everyone back, including
> ourselves.

If you send mail over IPv6 from an address with no reverse DNS you
will see quite a lot of this sort of thing:

550 5.7.1 [*] Our system has detected that this message
5.7.1 does not meet IPv6 sending guidelines regarding PTR records and
5.7.1 authentication. Please review
5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more
5.7.1 information.

> 
> It's fine to use no-reverse-lookup as a component of a spamminess
> score. It's not OK to use it as proof of spamminess.

People running large mailservers made that decision some time
ago. Disagreeing with them won't make them accept your email.

Cheers,
  Steve

Re: IPv6 automatic reverse DNS

[Karl Auer]

On Sat, 2016-10-29 at 01:02 +0200, Baldur Norddahl wrote:
> It should be simple to build a DNS server that will automatically 
> generate a hostname value for every reverse lookup received, and also
> be able to parse that hostname value to return the correct IPv6
> address on forward lookups.
> 
> Does any DNS server have that feature? Should we have it? Why not?

Nominum's nameserver software has these features. Industrial strength
nameservice, with lots of industrial-strength features, but at an
industrial-strength price.

I thought BIND had grown that feature, but I haven't used BIND for a
while now, so maybe not.

> 1b) anti spam filters believe in the magic of checking
> forward/reverse match.

Someone in this thread said that only malware-infested end-users are
behind IP addresses with no reverse lookup. Well - no. As long as we
keep telling anyone who isn't running a full-bore commercial network to
"consume, be silent, die", we are holding everyone back, including
ourselves.

It's fine to use no-reverse-lookup as a component of a spamminess
score. It's not OK to use it as proof of spamminess.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: IPv6 automatic reverse DNS

[Olivier Benghozi]

Already available: KnotDNS.

https://www.knot-dns.cz/docs/2.x/html/configuration.html#synth-record-automatic-forward-reverse-records
 



Olivier


> On 29 oct. 2016 à 01:02, Baldur Norddahl  wrote :
> 
> It should be simple to build a DNS server that will automatically generate a 
> hostname value for every reverse lookup received, and also be able to parse 
> that hostname value to return the correct IPv6 address on forward lookups.
> 
> Does any DNS server have that feature? Should we have it? Why not?

Re: IPv6 automatic reverse DNS

[Luke Guillory]

Why not have DHCP update dns with both.

Sent from my iPad

>

Luke Guillory
Network Operations Manager

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

On Oct 28, 2016, at 6:04 PM, Baldur Norddahl  wrote:
>
> Hello
>
> Many service providers have IPv4 reverse DNS for all their IP addresses. If 
> nothing is more relevant, this will often just be the IPv4 address hashed 
> somehow and tagged to the ISP domain name. For some arcane reason it is 
> important to have the forward DNS match the reverse DNS or some mail servers 
> might reject your mails.
>
> However with IPv6 it is not practical to build such a complete reverse DNS 
> zone. You could do a star entry but that would fail the reverse/forward match 
> test.
>
> It should be simple to build a DNS server that will automatically generate a 
> hostname value for every reverse lookup received, and also be able to parse 
> that hostname value to return the correct IPv6 address on forward lookups.
>
> Does any DNS server have that feature? Should we have it? Why not?
>
> I know of some arguments for:
>
> 1a) mail servers like it
>
> 1b) anti spam filters believe in the magic of checking forward/reverse match.
>
> 2) traceroute will be nicer
>
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that was 
> what got me going on this post)
>
> 4) Output from "who" command on Unix will look nicer (maybe).
>
> Regards,
>
> Baldur

Re: IPv6 automatic reverse DNS

[Steve Atkins]

> On Oct 28, 2016, at 4:02 PM, Baldur Norddahl  
> wrote:
> 
> Hello
> 
> Many service providers have IPv4 reverse DNS for all their IP addresses. If 
> nothing is more relevant, this will often just be the IPv4 address hashed 
> somehow and tagged to the ISP domain name. For some arcane reason it is 
> important to have the forward DNS match the reverse DNS or some mail servers 
> might reject your mails.
> 
> However with IPv6 it is not practical to build such a complete reverse DNS 
> zone. You could do a star entry but that would fail the reverse/forward match 
> test.
> 
> It should be simple to build a DNS server that will automatically generate a 
> hostname value for every reverse lookup received, and also be able to parse 
> that hostname value to return the correct IPv6 address on forward lookups.
> 
> Does any DNS server have that feature?

It's easy enough to implement with plugins on some servers.

> Should we have it?

Meh.

> Why not?

Because having an automatically generated reverse DNS is a sign that the IP 
address is not really intended to be offering public services, rather it's a 
malware-infested end user machine.

> 
> I know of some arguments for:
> 
> 1a) mail servers like it

... because it's a sign that the mail is coming from a real mailserver 
configured by a competent admin, rather than being a random compromised 
machine. That's not the case if you're just synthesizing reverse DNS for 
arbitrary IP addresses on your network.

> 
> 1b) anti spam filters believe in the magic of checking forward/reverse match.

For the same reason as above. Spam filters are also often smart enough to 
recognize, and treat as dubious, synthesized reverse DNS.

If you have synthesized reverse DNS on your smarthost you're likely to have a 
bad time, perhaps initially, perhaps the first time someone notices bad mail 
coming from it and doesn't recognize it as a legitimate smarthost.

> 
> 2) traceroute will be nicer

Most of those hosts a traceroute goes through should hopefully have stable IP 
addresses and meaningful, not synthesized, reverse DNS, I'd think. Consumer 
endpoints are the only ones where you might expect that not to be the case and 
synthesized reverse DNS might be an improvement there.

> 
> 3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that was 
> what got me going on this post)
> 
> 4) Output from "who" command on Unix will look nicer (maybe).
> 
> Regards,
> 
> Baldur

Cheers,
  Steve

IPv6 automatic reverse DNS

[Baldur Norddahl]

Hello

Many service providers have IPv4 reverse DNS for all their IP addresses. 
If nothing is more relevant, this will often just be the IPv4 address 
hashed somehow and tagged to the ISP domain name. For some arcane reason 
it is important to have the forward DNS match the reverse DNS or some 
mail servers might reject your mails.


However with IPv6 it is not practical to build such a complete reverse 
DNS zone. You could do a star entry but that would fail the 
reverse/forward match test.


It should be simple to build a DNS server that will automatically 
generate a hostname value for every reverse lookup received, and also be 
able to parse that hostname value to return the correct IPv6 address on 
forward lookups.


Does any DNS server have that feature? Should we have it? Why not?

I know of some arguments for:

1a) mail servers like it

1b) anti spam filters believe in the magic of checking forward/reverse 
match.


2) traceroute will be nicer

3) http://ipv6-test.com/ will give me 20/20 instead of 19/20 (yes that 
was what got me going on this post)


4) Output from "who" command on Unix will look nicer (maybe).

Regards,

Baldur