[AusNOG] FW: IPv6 reverse DNS and Mail ...

Sean K. Finn sean.finn at ozservers.com.au
Mon May 20 16:38:43 EST 2013


Trouble with IPv6 Reverse DNS and don't know where to start?

Here's the Step-1 Cheat Sheet abridged version;

http://matthope.net/2011/08/reverse-dns-for-ipv6-ptr-ranges/

If that link doesn't work for you, check out this guys Power-DNS-Piping Script:

http://hyse.org/v6rev/

Every IP has a bogus and useless IPv6 DNS record, and bam, everyone's happy, including the RFC Police.

If you want to get more complex, go for it, get funky.

S.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark Delany
Sent: Monday, May 20, 2013 4:26 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] IPv6 reverse DNS and Mail ...

On 20May13, Peter Tiggerdine allegedly wrote:

> So we should all just ignore RFC's because our largest trading partner 
> decide they don't to play by the same rules as the rest of the world.. WTF?.

For some reason you think that all RFCs are perfect and are always pragmatically based. Where did you get that idea from?

Geeks have been banging the "must have a reverse" drum for, what, 20 years now? The evidence is in, it's a lost cause because time-pressed admins rarely waste their time on useless fluff that is a maintenance headache.

> How exactly is it more difficult than forward records?

Well, for a start arranging the delegation of reverse can be a lot more difficult. If your ISP doesn't do a good job, or doesn't want to delegate you have zero recourse. Managing your forwards is completely under your control and does not require co-operation from any upstream delegation.

For seconds, nothing stops working if the reverses are missing or wrong. Third, if they get out-of-date nothing knows or cares. Forth, if you make completely bogus entries in your reverses, you make the RFC Police happy, but what is that really achieving apart from demonstrating basic scripting skills?

In any event, it's not a question of difficulty, it's a question of cost/benefit. And as we see all the time, a lot of places don't believe that one exists.

When you block on a missing reverse, you're mostly using that as a proxy to recognize an overworked or under-trained admin or a recalcitrant upstream provider. None of these have much bearing on what is being run on that IP.

So I guess if your goal is to punish an overworked admin, continue to block away.


The other problem is that spammers are well aware that a lack of reverse is used by some naive filters, so guess what? They retry the same payload to you from another IP if the first IP fails. They will keep going until one of their IPs is accepted by you.

You may smugly think you've blocked them, and they smugly know that they got to you via another route.

For those who believe that blocking an a lack of reverse truly stops spam, how do you know it didn't show up some time later on an IP that happens to have a reverse?


Mark.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list