[dns-operations] IPv6 PTR best practice

Petr Špaček petr.spacek at nic.cz
Wed May 9 07:09:47 UTC 2018


On 9.5.2018 07:12, Grant Taylor wrote:
>> Companies using Active Directory have the end node populate the the
>> PTR records using GSS-TSIG signed UPDATE requests.  Similar could work
>> for ISP but every time someone mentions this they huff and puff and
>> say it won’t work.
> 
> To be fair, Active Directory, and GSS-*, implies that Kerberos
> authentication is in play.  That's something that ISPs are quite
> unlikely to have in play between them and their clients.
> 
> That being said, there are other methods of authentication that can be
> used between ISPs and clients.

AFAIK Windows clients issue unsigned DNS UPDATEs when not joined to a
Active Directory domain. It is matter of one checkbox (register address
... something).

Bigger problem here is that content of the PTR record is somehow
constructed from machine name and its domain (wither from DHCP or from
static configuration) so the names will often look like
'johns-notebook.lan' and will be generally useless anyway.

-- 
Petr Špaček  @  CZ.NIC



More information about the dns-operations mailing list