How to wish you hadn't forced ipv6 adoption (was "How to force rapid ipv6 adoption")

John Levine johnl at iecc.com
Sat Oct 3 19:07:36 UTC 2015


>One thing that I thought was going to be a huge help with sending-IP 
>blacklists in the IPv6 world... was perhaps shifting to tighter 
>standards and greater reliance for Forward Confirmed rDNS (FCrDNS).

A lot of IPv6 mail systems want you to use SPF and DKIM signatures on
IPv6 mail, or they won't accept it.  This is a frequent topic at MAAWG
meetings.

IPv6 rDNS is a can of worms.  You can't do generic rDNS other than
with a stunt server that generates results on the fly.  The general
agreement seems to be that servers (which include mail clients) should
have static IPs and valid rDNS, but the pain of doing rDNS at all has
made the rDNS flaky.  And anyway, a DKIM signature or even an SPF
record is a lot more informative than a PTR record.

>For example, if a spammer who has acquired a /48 is sending from 
>literally millions, perhaps billions, of DIFFERENT IPs on that /48, ...

Even with a /64 a spammer could easily use a different IP for every
message he ever sent, which as you note would make both legitimate
bounce handling and spammer list washing easier.  That's why no DNSBL
I know is interested in granularities less than /64.  

There are some hosting providers that due to poor choices made a few
years back (and perhaps poorly designed equipment from vendors) have
been giving customers each a /128 inside a shared /64, but the advice
I've been seeing is that if you want your customers to be able to
send mail, don't do that.

R's,
John



More information about the NANOG mailing list