[dns-operations] IPv6 PTR best practice

Mark Andrews marka at isc.org
Wed May 9 20:56:46 UTC 2018


> On 10 May 2018, at 1:05 am, sthaug at nethelp.no wrote:
> 
>>> - What applications are requiring IPv6 PTR support?
>> 
>> The same set that require it for IPv4.
> 
> That's really a matter for debate. It's not at all obvious that
> building IPv6 "reputation" will work as well as for IPv4.
> 
>>> Any feedback appreciated,
>> 
>> ISP's really haven't looked at what can work for populating PTR records.
> 
> Some of us have, and have concluded that we'd rather not go there.
> 
>> Companies using Active Directory have the end node populate the the PTR
>> records using GSS-TSIG signed UPDATE requests.  Similar could work for
>> ISP but every time someone mentions this they huff and puff and say it
>> won�$,1ryt work.
> 
> AD is typically used within a company under *one* administration, while
> customers of an ISP are extremely varied (and certainly don't fall under
> one common administration).
> 
> The prospect of letting Joe Random User update his IPv6 PTR records
> might be *technically* feasible - but letting customers do their own
> DNS updates would need a significant amount of belts and suspenders,
> and would definitely require some development resources - for zero
> gain as far as I can see. It is *way* down the priority list.
> 
>> They see their kludge of pre-populating the reverse address space as being
>> "good enough" for IPv4 and just want to do the same for IPv6 rather than
>> actually look for solutions that will work.
> 
> It's a kludge for IPv4 that I *don't* want to repeat for IPv6. Thus the
> plan to only create IPv6 PTRs that are actually needed (servers/services
> on static IPv6 addresses).

Well just let node create PTR records for the addresses they have assigned.

>> There is no reason we can't go from kludges to a working reverse space
>> other than a unwillingness to try.
> 
> Seeing nonzero risks / costs and zero gain for the ISP might have
> something to do with it.

They are Internet SERVICE Providers and they are NOT providing
FULL service.  Part of being on the Internet FULLY is the ability
to NAME YOUR OWN MACHINE.  This can be done fully automatically
without the ISP having to deploy more staff.  What say ARIN, APNIC
and RIPE pull all the IN-ADDR.ARPA delegations for all the ISPs they
currently do to and wait for the howls of protest.

Just because you are a home user doesn’t mean that you should not
be able to publish the name of your machine.  That is ISPs acting
as a CARTEL against the home user.

> Steinar Haug, AS2116

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list