I'll take a dollar for every query in PTR we take at the ipv4 /8 and Ipv6
/12 level. Thats somewhere around 170,000/sec.
Luckily, you'll all stop before I have the entire western economy in my
pocket, but thats ok. I'll take the cents.. I'll take the millicents...
Seriously: the volume of query
sthaug If you assume that IPv6 mail servers have static PTRs, there is
sthaug zero added value (and a bit of work) in creating/synthesizing
sthaug IPv6 PTRs for residential customers. Much better to simply not
sthaug do it in the first place.
I'm in agreement that legitimate, well run mail
ebersman It's a nice thought. But considering how little we've
ebersman converged on SLAAC vs DHCPv6, random assignment vs eui-64 vs
ebersman static for host ID, RFC 6106 vs DHCPv6 DNS, etc. (and I won't
ebersman even start on how many IPv6 transition techs there are), any
ebersman consensus on
On Nov 9, 2014, at 11:31 PM, Paul Ebersman list-dn...@dragon.net wrote:
My concern is random folks who currently accept any v4 PTR regardless of
format (but caring if there is no PTR at all) will do something equally
bad in v6. i.e. NYT web content and similar pointless cruft. Putting in
an
On Nov 9, 2014, at 11:57 PM, Paul Ebersman list-dn...@dragon.net wrote:
Sorry, I replied to a message prior to your reply to me, and so I sort of
answered these points, but just to clarify:
- service providers who want a way to avoid breaking things for
customers while not being
ebersman My concern is random folks who currently accept any v4 PTR
ebersman regardless of format (but caring if there is no PTR at all)
ebersman will do something equally bad in v6. i.e. NYT web content and
ebersman similar pointless cruft. Putting in an auto-gen'ed v6 PTR
ebersman would satisfy
sthaug To me this is really simple: If many/most ISPs continue *not*
sthaug adding useless/artificial/synthesized PTRs, the content / server
sthaug people will have no choice - if they want their content to get
sthaug out and their services to be used by the large majority of IPv6
sthaug users,
On Nov 10, 2014, at 8:32 AM, Paul Ebersman list-dn...@dragon.net wrote:
IPv6 is still in early adoption for broad general use and we don't know
what plans folks have for requiring PTRs.
I apologize for picking and choosing from your response, but I think this sums
it up perfectly: if we do not
ebersman IPv6 is still in early adoption for broad general use and we
ebersman don't know what plans folks have for requiring PTRs.
TLemon I apologize for picking and choosing from your response, but I
TLemon think this sums it up perfectly: if we do not yet know what
TLemon plans they have,
On Nov 10, 2014, at 11:10 AM, Paul Ebersman list-dn...@dragon.net wrote:
If I wait until I have screaming customers, I have months and months of
hell before I have any solution.
So deploy the solutions the IETF is already working on. You are proposing we
do something bad to solve a problem
On Thu, Nov 06, 2014 at 08:26:17AM +0100,
sth...@nethelp.no sth...@nethelp.no wrote
a message of 24 lines which said:
Putting my ISP hat on, I'd have to agree with the security/stability
reasons (and several others I can think of). As of today, I have zero
incentive to let my residential
Putting my ISP hat on, I'd have to agree with the security/stability
reasons (and several others I can think of). As of today, I have zero
incentive to let my residential customers create their own PTR records.
Putting my customer hat on: I want PTR for my machines (many hosters
allow
To step back up a level again.
Most ISPs and most email/spam folks find the current v4 pointer usage to
be functional. I'm not saying that we all think it's not somewhat
broken, couldn't be better, etc. However, it solves the problems it's
supposed to solve in a functional way and doesn't
On Nov 9, 2014, at 12:01 PM, Paul Ebersman list-dn...@dragon.net wrote:
Most ISPs and most email/spam folks find the current v4 pointer usage to
be functional.
This assertion with respect to spam at least does not seem to match what's
actually been said on the list by people who are in a
Moin!
Read this draft on the way to the IETF and while saw there was a lot of
discussion around it I didn't read all of it, so forgive me if stuff has been
said before.
First I think it is good to have a draft that captures what you can do and what
the challenges for IPv6 reverse are. However
On November 9, 2014 2:08:28 PM PST, Ted Lemon ted.le...@nominum.com wrote:
On Nov 9, 2014, at 12:01 PM, Paul Ebersman list-dn...@dragon.net
wrote:
Most ISPs and most email/spam folks find the current v4 pointer usage
to
be functional.
This assertion with respect to spam at least does not seem
vixie Indeed not. We currently have to maintain a large and complex
vixie distributed registry of ipv4 ptr patterns which are meaningless
vixie and must therefore be filtered out before making policy decisions
vixie about the presence/absence and match/doesn't of a ptr record and
vixie it's
In message 6c6d2bc0-4099-4f9c-ade4-f9dd021da...@fl1ger.de, Ralf Weber writes:
Moin!
Read this draft on the way to the IETF and while saw there was a lot of discu
ssion around it I didn't read all of it, so forgive me if stuff has been said
before.
First I think it is good to have a
John Levine jo...@taugh.com wrote:
Do we know whether typical PTR checks look for existence or matching?
The ones I know all look for matching.
My understanding is that mail servers will often just do existence checks
because the matching check causes too much trouble for legitimate mail.
(My
Joel,
Thanks for this clarification on the process, I was on a plane :-)
On Nov 6, 2014, at 12:23 PM, joel jaeggli joe...@bogus.com wrote:
On 11/5/14 12:50 PM, Paul Vixie wrote:
the lack of consensus means it can't be a proposed standard, not that it
can't be an FYI, BCP or similar, right?
Andrew Sullivan wrote:
Especially in the absence of strong anti-spoofing mechanisms, like
the DNS Security Extensions, a check for matching reverse DNS mapping
should be regarded as an extremely weak form of authentication.
Considering that DNS Security Extension provides weak
Putting my ISP hat on, I'd have to agree with the security/stability
reasons (and several others I can think of). As of today, I have zero
incentive to let my residential customers create their own PTR records.
Better tools and systems may change this, but it would in any case be
*way*
sth...@nethelp.no wrote:
For our residential customers, we provide IPv4 PTRs which indicate
that this is a dynamic address. We *don't* plan to provide IPv6 PTRs
for those same customers.
That's fine.
But, what we need is opinions of ISPs which are allowing customers
supply PTRs for IPv4,
marka For in-addr.arpa you already have a PTR records. Allowing the
marka end user to set its content does not increase the amount of data
marka you are serving. It does increase the amount of churn in the
marka zone.
This draft isn't talking about v4. And $GENERATE or equiv already works
in
On Thu, Nov 06, 2014 at 08:24:35AM -0700, Paul Ebersman wrote:
marka Which won't work in IPv6 unless you syntesize the records on
marka demand.
And that's the plan, at least for $DAYJOB. And sign on the fly for those
of us signing our zones.
I'm going to take the risk of embarrassing myself
On 11/5/14 12:50 PM, Paul Vixie wrote:
Andrew Sullivan mailto:a...@anvilwalrusden.com
Wednesday, November 05, 2014 10:50 AM
On Wed, Nov 05, 2014 at 10:19:59AM -0800, 神明達哉 wrote:
https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06
...
... I believed I had
stupid thing I've been wondering: Is there a reason not to use wildcard
PTRs?
$ORIGIN 6.7.6.2.7.6.7.0.1.0.0.2.ip6.arpa.
* 604800 IN PTR home-ipv6-customer.isp.net.
This turns out to be a Well Known Bad Idea (WKBI).
Most PTR checks look up the name to be sure
On Nov 6, 2014, at 9:33 AM, John Levine jo...@taugh.com wrote:
stupid thing I've been wondering: Is there a reason not to use wildcard
PTRs?
$ORIGIN 6.7.6.2.7.6.7.0.1.0.0.2.ip6.arpa.
* 604800 IN PTR home-ipv6-customer.isp.net.
This turns out to be a Well
On Thu, Nov 06, 2014 at 05:33:10PM -, John Levine wrote:
This turns out to be a Well Known Bad Idea (WKBI).
Most PTR checks look up the name to be sure there's a matching forward
( in this case) record, and ignore them if there isn't.
I see. Too bad. Is it any more feasible to
I think Evan was proposing that home-ipv6-customer.isp.net would also exist,
so a PTR check that looked for
*existence* would succeed, but one that looked for *matching* would fail for
most of those addresses.
Do we know whether typical PTR checks look for existence or matching?
The ones I
Paul Hoffman mailto:paul.hoff...@vpnc.org
Thursday, November 06, 2014 9:41 AM
...
Do we know whether typical PTR checks look for existence or matching?
in postfix, it's matching.
--
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
On Thu, Nov 06, 2014 at 09:41:57AM -0800, Paul Hoffman wrote:
I think Evan was proposing that home-ipv6-customer.isp.net would also exist,
so a PTR check that looked for *existence* would succeed, but one that looked
for *matching* would fail for most of those addresses.
Do we know whether
Most PTR checks look up the name to be sure there's a matching forward
( in this case) record, and ignore them if there isn't.
I see. Too bad. Is it any more feasible to adjust expectations for v6 in
this respect than it was when we were talking about not providing PTR for
v6 in the first
Evan Hunt mailto:e...@isc.org
Thursday, November 06, 2014 9:46 AM
I see. Too bad. Is it any more feasible to adjust expectations for v6 in
this respect than it was when we were talking about not providing PTR for
v6 in the first place?
sadly, ipv6 isn't deployed enough that a v6-only end
On Thu, Nov 06, 2014 at 09:41:57AM -0800, Paul Hoffman wrote:
Do we know whether typical PTR checks look for existence or matching?
It depends. (We covered this to some extent in that failed
reverse-tree draft.)
A
--
Andrew Sullivan
a...@anvilwalrusden.com
phoffman Do we know whether typical PTR checks look for existence or
phoffman matching?
johnl The ones I know all look for matching.
For MX/spam and for VPNs, seems to want matching. For more fringe uses
like NYT web, seems to just want a non-NXDOMAIN response.
I'd be nervous about wildcard
In message 20141106152435.7ad4caa0...@fafnir.remote.dragon.net, Paul Ebersman
writes:
marka For in-addr.arpa you already have a PTR records. Allowing the
marka end user to set its content does not increase the amount of data
marka you are serving. It does increase the amount of churn in
At Sat, 01 Nov 2014 16:31:07 -0700,
Paul Vixie p...@redbarn.org wrote:
if there were an RFC (let's be charitable and assume it would have to be
an FYI due to lack of consensus) that gave reasons why PTR's would be
needed and reasons why the absence might be better (so, internet access
vs.
On Wed, Nov 05, 2014 at 10:19:59AM -0800, 神明達哉 wrote:
I guess
https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06
personally think if we can agree on the content this time, such a
document will be very useful, but we should carefully learn from the
previous
Andrew Sullivan mailto:a...@anvilwalrusden.com
Wednesday, November 05, 2014 10:50 AM
On Wed, Nov 05, 2014 at 10:19:59AM -0800, 神明達哉 wrote:
https://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06
...
... I believed I had watered down the draft so thoroughly that it
On Wed, Nov 05, 2014 at 12:50:42PM -0800, Paul Vixie wrote:
the lack of consensus means it can't be a proposed standard, not that it
can't be an FYI, BCP or similar, right?
AFAIK we were planning only for informational. The chairs called
WGLC, it ran, there was some ranting, then some months
Or we could stop debating whether we should maintain it and assume
that if we give people tools that will allow it to be automatically
maintained they will eventually deploy them.
A lot of the issue is that the tools aren't out there yet.
Document what a node should do to register itself in the
On Nov 5, 2014, at 3:59 PM, Andrew Sullivan a...@anvilwalrusden.com wrote:
AFAIK we were planning only for informational. The chairs called
WGLC, it ran, there was some ranting, then some months later one of
the chairs told me that they weren't sure what to do. To publish
something as a WG
Re-reading it today, it seems to me the text was altogether milquetoast.
I agree. The points that Vixie notes are entirely true, and it's hard
to imagine a good reason not to document them for the benefit of
people who want to, you know, interoperate.
R's,
John
marka Or we could stop debating whether we should maintain it and
marka assume that if we give people tools that will allow it to be
marka automatically maintained they will eventually deploy them.
For providers with millions or tens of millions of end customers, any
system that just lets any
marka Or we could stop debating whether we should maintain it and
marka assume that if we give people tools that will allow it to be
marka automatically maintained they will eventually deploy them.
[...]
marka Document what a node should do to register itself in the reverse
marka tree and to
On Thu, Nov 06, 2014 at 08:00:20AM +1100, Mark Andrews wrote:
Or we could stop debating whether we should maintain it and assume
that if we give people tools that will allow it to be automatically
maintained they will eventually deploy them.
Yeah, that's worked so far! No reason it
In message 20141105231214.gk31...@mx1.yitter.info, Andrew Sullivan writes:
On Thu, Nov 06, 2014 at 08:00:20AM +1100, Mark Andrews wrote:
Or we could stop debating whether we should maintain it and assume
that if we give people tools that will allow it to be automatically
maintained they
In message 20141105215548.27d51a91...@fafnir.remote.dragon.net, Paul Ebersman
writes:
marka Or we could stop debating whether we should maintain it and
marka assume that if we give people tools that will allow it to be
marka automatically maintained they will eventually deploy them.
For
In message 20141105222034.5fe40a92...@fafnir.remote.dragon.net, Paul Ebersman
writes:
marka Or we could stop debating whether we should maintain it and
marka assume that if we give people tools that will allow it to be
marka automatically maintained they will eventually deploy them.
[...]
marka Or we could stop debating whether we should maintain it and
marka assume that if we give people tools that will allow it to be
marka automatically maintained they will eventually deploy them.
For providers with millions or tens of millions of end customers, any
system that just
Hi George, and all.
I've just caught up on this thread, and it strikes me that there is (it
seems) an operational gap with the omission of the problem statement.
On 3/11/2014 2:36 pm, George Michaelson g...@algebras.org wrote:
[snip]
We don't have any failure to delegate the parent blocks
I think thats pretty well completely fair Terry. I think you capture the
qualities well.
But if you put DNSSEC back in the equation, add sufficient value to the
assertive-trust side of what would be said inside it, and the
follows-the-delegation-chain aspect, I think it has potential to have more
but, separately from that, if PTR's have high and low uses, we should
document that, so that NYT (or whomever) ...
Can whoever mentioned the NY Times offer more clues about what they're
rejecting? My cable connection happens to have IPv6 with no rDNS, and
I can't even find a v6 address at the
ebersman I don't even know how many broken sites there are and I don't
ebersman care to waste valuable staff time tilting at this
ebersman windmill. ...
vixie no worries. meanwhile i'm going to try to build an internet that
vixie can grow for 200 more years.
Suddenly being socially responsible
ebersman So your grand scheme is
vixie decorum?
No objections here if you succeed. :)
ebersman ... to limit who can get v6 PTRs and that will be the new
ebersman standard of whether or now you're tall enough to send email
ebersman with the big boys?
vixie yes.
Well, for my $DAYJOB, that's
knowing its not the root issue, I would like to remind people the RIR
system for rDNS delegation is almost entirely automatic from our various
portals, and WHOIS based nserver mechanisms. Its not hard to do the top
part. We're not roadblocking.
We don't have any failure to delegate the parent
On Sat, 1 Nov 2014, John Levine wrote:
I entirely agree ... the fact that reverse DNS works as a heuristic (and
not an especially key heuristic) for IPv4 is not a reason for the
considerable effort required to try and make it work as a an equally
flawed heuristic on IPv6.
There is a heuristic
There is a heuristic that says any host which is intended to act as a
server visible to hosts on the public Internet should have matching
forward and reverse DNS. (It does not say the converse; the presence
of DNS doesn't mean a host is good, the absence means it's bad.) This
seems to me to be
John Levine mailto:jo...@taugh.com
Saturday, November 01, 2014 1:51 PM
I entirely agree ... the fact that reverse DNS works as a heuristic (and
not an especially key heuristic) for IPv4 is not a reason for the
considerable effort required to try and make it work as a an equally
flawed
vixie if there were an RFC (let's be charitable and assume it would
vixie have to be an FYI due to lack of consensus) that gave reasons why
vixie PTR's would be needed and reasons why the absence might be better
vixie (so, internet access vs. internet service), then that RFC might
vixie give our
On Fri, Oct 31, 2014 at 1:28 AM, Paul Vixie p...@redbarn.org wrote:
...
i suggest an efficiency improvement: don't manufacture these PTR's in the
first place. let last-mile devices be PTR-free. signal to anti-spam folks,
such as myself, by this method, that these are not real hosts and
Bob Harold wrote:
I recall running into applications that refused to accept connections (or
took a very long time) if the reverse DNS lookup was not found. If memory
serves, telnet and ssh on some hosts. Do we know if there are still
applications like that?
Ubuntu has a long-standing bug
Not sure why Paul Vixie wants to relegate my IPv6 address to third class
citizen that's not good enough to be a peer on the Internet for port 25. I'd
ask him, but his mail server refuses my email due to my ISPs lack of reverse
IPv6 :p
I'm all for anti-spam heuristics, but checking the reverse
Not sure why Paul Vixie wants to relegate my IPv6 address to third class
citizen that's
not good enough to be a peer on the Internet for port 25. I'd ask him, but his
mail server
refuses my email due to my ISPs lack of reverse IPv6 :p
I'm all for anti-spam heuristics, but checking the reverse
Bob Harold mailto:rharo...@umich.edu
Friday, October 31, 2014 6:02 AM
...
I recall running into applications that refused to accept connections
(or took a very long time) if the reverse DNS lookup was not found.
If memory serves, telnet and ssh on some hosts. Do we know if there
are
On Fri, 31 Oct 2014, Paul Vixie wrote:
if you have a business grade connection to the internet, you should be
able to establish a PTR for each real host.
Oh, you want me to pay an additional $2000/month to use IPv6 with email.
in other words i didn't relegate your address to third party
Paul Wouters mailto:p...@nohats.ca
Friday, October 31, 2014 9:29 AM
On Fri, 31 Oct 2014, Paul Vixie wrote:
if you have a business grade connection to the internet, you should be
able to establish a PTR for each real host.
Oh, you want me to pay an additional $2000/month to use IPv6 with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In message 5453adcd.7090...@redbarn.org, Paul Vixie p...@redbarn.org
writes
and yet, every proposal i've seen concerning IPv6 PTR screams silently,
PTR is an old-internet concept which no longer applies. it's as if we
were trying to placate a bunch
In message 16VeoWCqs8UUFA$s...@highwayman.com, Richard Clayton writes:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In message 5453adcd.7090...@redbarn.org, Paul Vixie p...@redbarn.org
writes
and yet, every proposal i've seen concerning IPv6 PTR screams silently,
PTR is an old-internet
On 10/23/14 5:17 PM, Mark Andrews ma...@isc.org wrote:
In message d06e91ee.72e46%...@asgard.org, Lee Howard writes:
From: Mwendwa Kivuva kiv...@transworldafrica.com
Date: Thursday, October 23, 2014 7:23 AM
To: dnsop dnsop@ietf.org
Subject: [DNSOP] Draft Reverse DNS in IPv6
Lee,
I don't see any discussion in your draft about why rDNS is needed in
this space. IME there are typically 2 uses cases:
1. Residential users, or more specifically, those who will not
be/should not be running services on their addresses
2. Commercial users, who may be running things
To: dnsop dnsop@ietf.org
Subject: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service
Providers
Refering to the draft by Lee Howard
https://tools.ietf.org/html/draft-howard-dnsop-ip6rdns-00
and given the weakness of the Reverse DNS access for security
purposes, wha
t
problem
On Oct 30, 2014, at 6:05 PM, Doug Barton do...@dougbarton.us wrote:
1. Residential users, or more specifically, those who will not be/should
not be running services on their addresses
This is not a value judgment the IETF should be making.
___
DNSOP
On 10/30/14 6:02 PM, Ted Lemon wrote:
On Oct 30, 2014, at 6:05 PM, Doug Barton do...@dougbarton.us wrote:
1. Residential users, or more specifically, those who will not be/should not
be running services on their addresses
This is not a value judgment the IETF should be making.
Of course
Doug Barton mailto:do...@dougbarton.us
Thursday, October 30, 2014 9:00 PM
Of course not, but it is one that the ISP makes, and that distinction
is useful to the anti-spam folks.
IETF should not be making judgements as to what an ISP will value,
because not all ISP's behave as you
P Vixie wrote:
Ohta-san, like you I would like to see stateless address auto
configuration for ipv6 (SLAAC) die in a fire. Sadly this outcome is
beyond our powers.
Not necessarily.
Let's start from where we are, no matter how unpleasant that place
may be. Vixie
From where we are, fix
Refering to the draft by Lee Howard
https://tools.ietf.org/html/draft-howard-dnsop-ip6rdns-00
and given the weakness of the Reverse DNS access for security purposes,
what problem is this draft trying to solve? If we need to find the host
that has sent an email associated with an address, would we
and given the weakness of the Reverse DNS access for security purposes, what
problem is this draft trying to solve? If we need to find the host that has
sent an email associated with an address, would we better let DKIM address that
without a separate lookup in the receiving server? DKIM
On Oct 23, 2014, at 7:23 AM, Mwendwa Kivuva kiv...@transworldafrica.com wrote:
and given the weakness of the Reverse DNS access for security purposes, what
problem is this draft trying to solve? If we need to find the host that has
sent an email associated with an address, would we better let
From: Mwendwa Kivuva kiv...@transworldafrica.com
Date: Thursday, October 23, 2014 7:23 AM
To: dnsop dnsop@ietf.org
Subject: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers
Refering to the draft by Lee Howard
https://tools.ietf.org/html/draft-howard-dnsop-ip6rdns-00
Ted Lemon mailto:ted.le...@nominum.com
Thursday, October 23, 2014 7:02 AM
For me at least the main values of the reverse DNS are:
- answers the question what host is contacting me in situations
where I am _not_ under attack, which is really useful in logs and
other debugging and network
On Oct 23, 2014, at 1:50 PM, Paul Vixie p...@redbarn.org wrote:
william simpson was right in 1996. we should have moved get host name
corresponding to IP to ICMP. the problems described by lee howard's draft
are proof that our whole model is wrong.
Right, 'cuz there's nothing at all
Ted Lemon mailto:ted.le...@nominum.com
Thursday, October 23, 2014 11:16 AM
Right, 'cuz there's nothing at all difficult about getting ICMP to
work... :)
understood. but that's part of what makes this a good solution. systems
need to learn to live with hosts whose names they cannot guess.
Paul Vixie wrote:
william simpson was right in 1996. we should have moved get host
name corresponding to IP to ICMP. the problems described by lee
howard's draft are proof that our whole model is wrong.
Wrong. What's wrong is SLAAC, which is stateful in the worst
possible fashion with
Ohta-san, like you I would like to see stateless address auto configuration for
ipv6 (SLAAC) die in a fire. Sadly this outcome is beyond our powers. Let's
start from where we are, no matter how unpleasant that place may be. Vixie
--
Sent from my Android device with K-9 Mail. Please excuse my
86 matches
Mail list logo