comcast ipv6 PTR

Bjørn Mork bjorn at mork.no
Tue Oct 15 16:20:40 UTC 2013


Joe Abley <jabley at hopcount.ca> writes:
> On 2013-10-15, at 10:57, Bjørn Mork <bjorn at mork.no> wrote:
>> Mark Andrews <marka at isc.org> writes:
>> 
>>> People keep saying the PTR records don't mean anything yet still
>>> demand really strong authentication for updates of PTR records.
>>> TCP is more than a strong enough authenticator to support update
>>> from self.
>> 
>> This sounded like an excellent idea at first, but then I started
>> thinking:  As a home user, would I really want to give anyone with
>> access to my network the right to change my reverse delegation?
>
> I think what you'd be doing is giving anybody you have assigned an
> IPv6 address to the ability to update the PTR (or a delegation, since
> Mark suggested that too) for that particular address.
>
> So, it's not "my reverse delegation", it's "my 2^80 or fewer reverse
> delegations" (if you've been assigned a /48).

Ah, right.  I understood the proposal as "any address within then /48
can update the delegation for the /48 reverse".

But if that would be 2^80 distinct delegations or PTRs, then I am
worrying about luser stupidiy and the ability to DoS the name server.  I
guess this can be combined with some sort of limit, making it fly?
Still don't see the advantage of being able to delegate if it's only
single address delegations.  But allowing a limited number of PTR
updates based on TCP sounds like a nice idea.  Going to consider that.

For the full /48 delegation I don't see any other option than making it
part of a self service portal.  But the marketing/product droids usually
don't want that sort of "complex" techical stuff  for retail users.
Probably for good reasons...

In any case: All of you should expect legitimate, technical brilliant
users attempting to connect to your SMTP servers from IPv6 addresses
with no PTR records. This is not going to go away.  You are of course
free to refuse those connections, but personally I find a that rather
arrogant and pretty stupid decision.  The existence of a PTR record is
one of many factors to consider for your spam filter.  There never has
been any reason to make it an absolute requirement, and I am pretty sure
the score needs to be lowered with IPv6.


Bjørn (yes, my mail server has a proper IPv6 reverse record, but that's
only because I am in a position to create the reverse delegation....)




More information about the NANOG mailing list