[dns-operations] IPv6 PTR records

Andrew Sullivan ajs at shinkuro.com
Fri Dec 17 16:31:58 UTC 2010


On Fri, Dec 17, 2010 at 10:07:12AM -0600, Douglas C. Stephens wrote:

> expect to be able to do so under IPv6.  A case in point is SSHd.  Many of the other
> sites running SSHd to which my customers connect are using versions of SSHd which
> stall and time-out if PTR records for my client-side IPs are not available.  Further,
> a sizeable fraction of those other sites still use hostname-based ACL mechanisms (in
> spite of the long-standing stupidity of doing so).  When these connections fail or are
> extremely slow to connect, I get very growly customers.  Therefore, we intend to
> roll-out matching IPv6 AAAA/PTR records.

Reducing your own pain is an excellent reason to roll out matching
reverse records, for sure, but you're quite right in noting that
anyone attempting to use the reverse tree for any manner of security
is nuts (at the very least, in the absence of DNSSEC.  I guess there
are people who argue you could get something useful from this in the
presence of DNSSEC).

A


-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list