[dns-operations] fewer PTRs plz (Re: reverse DNS for DHCPV6 and PD's)

Eivind Olsen eivind at aminor.no
Wed Jun 15 23:29:06 UTC 2011 

Chris Roosenraad wrote:

> That said, if someone wants to champion a new RFC that says that in v6,
> PTR records are ONLY for servers, I'll gladly back them up.  But as of
> right now, I have to assume its business as usual with regards to PTR
> records.  :(

I will gladly try to write something if others also think this is a worthy
cause. I have absolutely no experience with writing an I-D (Internet
Draft) and getting it approved but I'm willing to give it a try if someone
could give me a nudge in the right direction and provide some input.

I guess the correct procedure would be something along the lines of
writing an I-D, taking the iterative process of changing it based on
feedback/comments, then publishing it, and ideally somehow manage to get
it turned into a BCP. Is this possibly food for some IETF working group?

I don't think an I-D forbidding the use of PTRs for non-servers in IPv6
makes much sense. Here's a short version of what makes some sense to my
mind - does it make sense for anyone else as well? Is this something we
could flesh out a bit, rephrase, and turn into an I-D?

Servers and network equipment are expected to be fairly few and have
static IP addresses - these could be expected to have PTRs in IPv6 just as
we expect them to have in the IPv4 world.

Dynamic allocations with temporary addresses are much more common, and the
big IPv6 address space means we can't expect every single IPv6 address to
have a PTR record. Yes, a nameserver can in theory generate PTR records on
the fly based on some template or formula, but then we're back to the
fairly useless generic records like
2-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-3-4-4-3-0-1-1-0-8-f-4-0-1-0-a-2.dsl.dynamic.ispname
(and these are also expected to exist as an AAAA record).
It won't be possible to get all the hosts to update DNS with their current
DHCPv6 assigned or autoconfigured IPv6 address, therefore it is recommend
that the lack of PTR records for IPv6 addresses be given no implicit
meaning.
Although, to somewhat contradict myself, different services will still
give some meaning to the lack of PTR records.

Examples:
- SMTP servers could still expect other SMTP servers with static IPv6
addresses to have PTR records, but shouldn't expect the same from clients
they are supposed to allow relaying for (whether it's from their own /56
prefix or from the entire world through the use of SMTP authentication)
- FTP/IRC/SSH servers, and other servers which are often accessed by
normal hosts with dynamic addresses, shouldn't expect PTR records

RFC 1033 section says "Add the reverse IN-ADDR entry for each host address
in the appropriate zone files for each network the host in on."
RFC 1912 section 2.1: "For every IP address, there should be a matching
PTR record in the in-addr.arpa domain"
RFC 4472 sections 7.1 and 10 does touch the topic of the security value of
reverse DNS for IPv6, although it does seem a bit vague about it.
I guess there might be some other documents which also need to be
referenced - I'll dig deeper into this if this I-D seems worthwile.

Regards
Eivind Olsen

More information about the dns-operations mailing list