[AusNOG] IPv6 reverse DNS and Mail ...

Mark Andrews marka at isc.org
Tue May 21 17:44:56 EST 2013


In message <1369120011.7313.27.camel at tardis>, Noel Butler writes:
> On Tue, 2013-05-21 at 09:53 +1000, Karl Auer wrote:
>
> > On Tue, 2013-05-21 at 09:04 +1000, Noel Butler wrote:
> > >  SHANE wrote:
> > > > > If the customer isn't getting their mail, you're not doing your
> > > > > job.
> > >
> > > Ummm, no, if the clients gets more that could have easily been
> > > stopped -
> > > I'm not doing my job.
> >
> > And right there is the tension between two equally worthy goals. "Our
> > job" is making the right judgement and striking the right balance
> > between the two requirements.
> >

Actually the job into let through legitimate email without letting
through spam.  Mis-classification in either direction is bad.

> You will never really make everyone happy, it will never happen, ever
> doing it Shane's way will only make the spammers happy.
>
>
> > Dropping an email *only* because the sender has no PTR record, is IMHO
> > going too far in one direction. The lack of a PTR is just one of many
>
>
> quick look at yesterday on just one box
> 5xx Reject unknown client host              45.71%
>
> That's a rather large chunk of trash that amavisd doesn't have to look
> at

Its also potential a large number of potential false positives.

> > IPv6 (which is where this discussion started!) opens up the local LAN.
> > NAT disappears, and local subnets become very large, globally
> > addressable, and globally reachable (modulo any desired firewalling). It
>
>
> You don't just chuck a box online do you though, as you indicated you
> take the time to set up firewalls, as well as what daemons you want to
> run,  again, DNS takes mere seconds, even by to add by hand.
>
>
> > is *easy* to run servers in the home. No UPnP, no port forwarding,
>
> True, so when your configuring postfix, dovecot, apache, whatever,
> configure bind, edit your details in your providers portal if your not
> authoritative, or a home or small business user can ask their ISP to set
> PTR, yes, I know, my bad for suggesting somebody actually do some
> work :)

Which requires ISP's to delegate or support updating PTR records.
Technically that is easy.  Getting ISPs to accept that they need
to do it is a different thing.  There may not be a ISP in your
area that supports it for residential customers on DSL/Cable or
are you saying that residental customers should be forced back
to dialup modem?

> > One thing that is *not* likely to change without customer pressure is
> > the lack of reverse delegation to such peers. Not that it is
>
>
> Most decent and serious operators in the U.S. learnt a looooong time
> ago, back when AOL were a real force, and they added PTR checking, the
> problem here is, too many lazy people, too many "charged with
> responsibility" that have no experience (not their fault, but a little
> research does go a long way - we all started somewhere).
>
>
>
> > So I would suggest that in the IPv6 world that is coming (slowly :-)
> > dropping email based solely on a lack of PTR record is a
> > business-damaging, community-damaging, customer-damaging, user-damaging
>
>
> If they have not learnt from IPv4 days, there is little hope now.

With IPv4 you can take all the IPv4 address space delegated to
you, create a PTR for each address and serve it using stock
nameservers.  Doing that with IPv6 is impossible.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the AusNOG mailing list