Reverse DNS RFCs and Recommendations

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <5272E4A6.9080601 at dcrocker.net>, Dave Crocker writes:
> On 10/30/2013 9:55 AM, Andrew Sullivan wrote:
> > As I think I've said before on this list, when we tried to get
> > consensus on that claim in the DNSOP WG at the IETF, we couldn't.
> > Indeed, we couldn't even get consensus on the much more bland
> > statement, "Some people rely on the reverse, and you might want to
> > take that into consideration when running your services."
> >
> > Now, IETF non-consensus on the way the Internet works is hardly a
> > surprise, but I thought I'd point this out just in case people want to
> > be prepared for flames from people who feel strongly about the matter.
> 
> 
> I'm beginning to think that documenting failures to get consensus could 
> be almost as important as documenting successes, in order to provide a 
> basis for countering folks who claim something is required, when there's 
> explicit public experience that it isn't.
> 
> Looks to me that Andrew's note is an example of that potential benefit. 
>   Rather than having to have someone remember this stuff, anyone could 
> point to the 'failure' document.

There is consensus.  There SHOULD be PTR records.  This is even
documented in various RFC.

Now the methods IPS's use to do this for home customer addresses
with IPv4 don't scale to IPv6.  They also don't let the home customer
specify the name in the PTR record.

Additionally ISP's use PTR records as a revenue source by only
offering to set them to commercial customers.  Part of this is
that it is often a manual proceedure.

That said it is possible to completely automate the secure assignment
of PTR records.  It is also possible to completely automate the
secure delegation of the reverse name space.  See
http://tools.ietf.org/html/draft-andrews-dnsop-pd-reverse-00 (yes
I am aware of the typos which I will fix once the submission window
re-opens).  Similar techiques can be applied to individual IPv4
delegations.  You add PTR records rather than NS and DS records.

In named the SIG(0) signed UPDATE requests are granted using

	update-policy { grant * self *; };

when setting up the reverse zone.  The code to do it is over a
decade old at this point.

It just requires willingness to do it.  For ISP's to come out of
the 90's and use the technology that was designed to allow this to
happen.

Mark

> d/
> 
> -- 
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Reverse DNS RFCs and Recommendations
• Next message (by thread): Reverse DNS RFCs and Recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]