[dns-operations] fewer PTRs plz (Re: reverse DNS for DHCPV6 and PD's)
eivind at aminor.no
Wed Jun 15 23:23:19 UTC 2011
Robert Edmonds wrote:
> i can't see any reasons to deny a PTR update (whether it came in via a
> ticket or via a dynamic update) other than simple technical checks, like
> perhaps verifying that the PTRDNAME points to an existing A or AAAA
> owner name.
I can see such a reason, but please correct me if I'm wrong here, I won't
pretend to be an expert, and I'd love to learn something new :D
It's fairly common for ISPs to hand out dynamic addresses to their
residential customers in an IPv4 based world. I'll admit I don't have much
experience with how a mass-market ISP will do this for IPv6 but I'm
guessing it will be done with dynamic prefix allocation for IPv6 as well.
A fairly common setup on the customers CPE is to hand out addresses in a
range from x to y.
Now, let's say I get assigned the prefix 2001:DB8::/32, and the DHCP
server in the CPE provided by my ISP starts handing out addresses from
<prefix>::100 up to ::200. If DDNS to the PTR is open for all I can
easily create several not-so-nice PTR names for this range, turn off my
CPE, wait for the next customer to get assigned my previous prefix, and
he'll get nice pre-made PTR records for all his hosts unless he also
registers a new PTR by himself.
Unfortunately, stuff like this is exactly what will get printed in the
media, and that's attention no ISP will want, even if they can point the
finger at a customer.
Sure, there are possible fixes for this, such as:
- assign a static prefix for every customer, and clean up any PTRs in that
prefix if the customer cancels their subscription. I believe many ISPs
don't want to provide static prefix in their residential product,
encouraging customers to go for the premium priced product if they want
- keep assigning dynamic prefixes to customers, but somehow clean up any
PTRs before handing it out to the next customer
- have the CPE automatically register or delete PTRs for its DHCPv6 range.
Oh btw, the simple technical check of having an existing AAAA record
before being allowed to update the PTR record doesn't prevent this issue.
I can easily create an AAAA record for a somewhat disturbing hostname.
Yes, I'd have to use a domain name I somehow control.
So, to sum it up: no, I wouldn't expect every ISP to allow every
residential customer to do DDNS updates on their dynamic address ranges.
More information about the dns-operations