[dns-operations] fewer PTRs plz (Re: reverse DNS for DHCPV6 and PD's)
marka at isc.org
Thu Jun 16 00:32:10 UTC 2011
Mark Andrews writes:
> In message <99b34ca9a3938a4e10e267493f6cdfcf.squirrel at webmail.aminor.no>, "Ei
> nd Olsen" writes:
> > Robert Edmonds wrote:
> > > i can't see any reasons to deny a PTR update (whether it came in via a
> > > ticket or via a dynamic update) other than simple technical checks, like
> > > perhaps verifying that the PTRDNAME points to an existing A or AAAA
> > > owner name.
> > I can see such a reason, but please correct me if I'm wrong here, I won't
> > pretend to be an expert, and I'd love to learn something new :D
> > It's fairly common for ISPs to hand out dynamic addresses to their
> > residential customers in an IPv4 based world. I'll admit I don't have much
> > experience with how a mass-market ISP will do this for IPv6 but I'm
> > guessing it will be done with dynamic prefix allocation for IPv6 as well.
> > A fairly common setup on the customers CPE is to hand out addresses in a
> > range from x to y.
> > Now, let's say I get assigned the prefix 2001:DB8::/32, and the DHCP
> > server in the CPE provided by my ISP starts handing out addresses from
> > <prefix>::100 up to ::200. If DDNS to the PTR is open for all I can
> > easily create several not-so-nice PTR names for this range, turn off my
> > CPE, wait for the next customer to get assigned my previous prefix, and
> > he'll get nice pre-made PTR records for all his hosts unless he also
> > registers a new PTR by himself.
> > Unfortunately, stuff like this is exactly what will get printed in the
> > media, and that's attention no ISP will want, even if they can point the
> > finger at a customer.
> > Sure, there are possible fixes for this, such as:
> > - assign a static prefix for every customer, and clean up any PTRs in that
> > prefix if the customer cancels their subscription. I believe many ISPs
> > don't want to provide static prefix in their residential product,
> > encouraging customers to go for the premium priced product if they want
> > static addresses.
> > - keep assigning dynamic prefixes to customers, but somehow clean up any
> > PTRs before handing it out to the next customer
> > - have the CPE automatically register or delete PTRs for its DHCPv6 range.
> > Oh btw, the simple technical check of having an existing AAAA record
> > before being allowed to update the PTR record doesn't prevent this issue.
> > I can easily create an AAAA record for a somewhat disturbing hostname.
> > Yes, I'd have to use a domain name I somehow control.
> > So, to sum it up: no, I wouldn't expect every ISP to allow every
> > residential customer to do DDNS updates on their dynamic address ranges.
> > Regards
> > Eivind Olsen
> In the IPv4 world you would almost always been doing a RFC 2317
> style delegation or manually inserting the records and most customer
> delegation do not fall nicely on a DNS delegation break point.
> In IPv6 all delegations fall nicely on DNS delegation break points.
> IPv4 requires humans. IPv6 can be completely automated.
> If the ISP is really worried about this they can just allow the
> /48, /52, /56, /60, /64 reverses to be automatically delegated to
> the customer's nameservers (CPE) using dynamic updates to insert
> the NS/DNAME records. This is completely self cleaning from the
> ISP's perspective. When they next hand out the address to a new
> customer they update the NS/DNAME records. The host machines still
> automatically update themselves in the DNS, just now the updates
> are going to customer owned nameservers instead of ISP owned
I forgot to add DS records along side the NS records.
> If Geoff had allowed the 2002::/16 reverse to be updated this way
> we would have had a good working example to show people. The code
> was written to do this.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations