[AusNOG] IPv6 reverse DNS and Mail ...

Mark Andrews marka at isc.org
Wed May 22 09:48:02 EST 2013


In message <1369174010.4055.23.camel at tardis>, Noel Butler writes:
>
> On Tue, 2013-05-21 at 17:44 +1000, Mark Andrews wrote:
>
>
> >
> > Actually the job into let through legitimate email without letting
> > through spam.  Mis-classification in either direction is bad.
> >
>
>
> We agree on that, mail administration will forever be fine line
> balancing act.
> It's also for that very reason I refuse to have anything to do with
> these "hardware" anti spam devices, the two most common ones (without
> naming them I'm sure you know who) have both been plagued by misdirected
> rules on many occasions.
>
>
> > > quick look at yesterday on just one box
> > > 5xx Reject unknown client host              45.71%
> > >
> > > That's a rather large chunk of trash that amavisd doesn't have to look
> > > at
> >
> > Its also potential a large number of potential false positives.
> >
>
>
> Potential? Yes, but due to number of (or should I say lack there of)
> complaints, the reality is very different.
>
>
>
> > > True, so when your configuring postfix, dovecot, apache, whatever,
> > > configure bind, edit your details in your providers portal if your not
> > > authoritative, or a home or small business user can ask their ISP to
> set
> > > PTR, yes, I know, my bad for suggesting somebody actually do some
> > > work :)
> >
> > Which requires ISP's to delegate or support updating PTR records.
> > Technically that is easy.  Getting ISPs to accept that they need
> > to do it is a different thing.  There may not be a ISP in your
> > area that supports it for residential customers on DSL/Cable or
> > are you saying that residental customers should be forced back
> > to dialup modem?
>
> OK, so for residential customers, well, how many mail servers do you
> want on your home LAN? I dunno bout you, but I only need one (my sec's
> are off-site of course), so there is only one box with one IP for their
> MX they need to make sure has complete DNS, so, why does what they have
> been doing for past twenty years with reverse DNS at home have to
> change? I have had personal PTR for home IP for over ten years (to be
> fair, exclude 4 of them, since I was in charge of DNS at an ISP and
> could add/change it myself) but of the residential DSL SP's I've used I
> had no trouble getting custom PTR's, I did have to pay one of them a
> once off small and reasonable fee, and another ISP a recurring small
> fee, my current ISP cost me nothing more than an Email - So again, why
> does that need to change, someone has to take the time to change it, or,
> develop the interface to let the end users change it, be it IPv4, IPv6,
> and whatever succeeds it.

And the ISP for IPv4 *knows* the address you will be using because the
mail server is behind a NAT.  For IPv6 they server is NOT behind a
NAT.  It could be on any one of 1208925819614629174706176 addresses
allocated to the home.

> > > If they have not learnt from IPv4 days, there is little hope now.
> >
> > With IPv4 you can take all the IPv4 address space delegated to
> > you, create a PTR for each address and serve it using stock
> > nameservers.  Doing that with IPv6 is impossible.
> >
>
> That's only because bind's GENERATE option was not changed to work with
> IPv6, I've to be honest never used anything else, did try DJB
> abomination at one stage many years back but that didn't last too long I
> can assure you LOL, but who knows, when IPv6 becomes in serious use,
> powerdns might make it happen, or your colleagues who I know are not
> keen on the idea now, may change their mind as well.

BIND's $GENERATE command will creates the records and add them to
the zone.  The resulting zone can be slaved by any other DNS server
in the world.  To do this for IPv6 one would have to generate
1208925819614629174706176 PTR records for a /48.  When you can buy
a machine that can hold that many PTR records let me know or even
generate them in before you die let me know.  At a billion records
a second that will take 38334786 years.

> At less than 1% global IPv6 utilisation I can understand why no-ones too
> interested, likely playing the wait and see game.

You mean the 1.4% on a exponential part of the classic S growth curve.

http://www.google.com/ipv6/statistics.html

It's isn't wait and see.  It is here now.  The only thing holding it
back now is ISP's failing to offer IPv6 to their customers along
with instructions to replace their router.  Eyeball ISPs will see
+50% of traffic switch to IPv6 for each customer they turn on where
turning on includes replacing the router.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the AusNOG mailing list