reverse DNS considered pointless was: [6bone] Fwd: BCP 80, RFC 3681 on Delegation of E.F.F.3.IP6.ARPA

Jeroen Massar jeroen at unfix.org
Sun Feb 8 18:18:10 PST 2004 

-----BEGIN PGP SIGNED MESSAGE-----

Anand Kumria wrote:

> On Sun, Feb 08, 2004 at 07:06:42PM +0100, Gert Doering wrote:

> > Reopening that can of worms will just delay useful reverse DNS deployment
> > even further.
> 
> What useful reverse DNS deployment? Can you usefully assign 
> reverse for systems using the privacy extensions?

Those addresses are not meant to be reversed and are meant for
a short life anyways. Programs doing SSH for instance should
request the 'static' address of a host when connecting.
Personally I turn the option of on every box I visit.
For linux kernels one has the option of not even compiling it
in and it is off per default fortunatly ;) The privacy
extensions where meant for workstations and similar setups
anyways, these don't need reverses. Server boxes and routers
do though, or are you changing the address of your webserver
every 10 minutes ? :)

> Look at IPv4 to see how hard it
> for people to manage < 2^8 in address for reverse, do you really expect
> people with 2^64 (or more) addresses to cope?

Why not, never heared of DHCPv6, DDNS and automated
registration/scripting ? If you or your ISP can't then too bad ;)
FYI: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
Using a little scripting I have also made a Windows version,
sporting IPv6 support thus everything is possible. Windows.Net
is probably already doing it from install btw, though I am not
sure as I don't have anything 'newer' as XP. Maybe SP2?

I know for sure that the IPv6 reverse tree is much better populated
and usefully (no automatically generated reverses) populated than
the counterpart IPv4 tree. Main reason: dnsspamming irc kiddo's.
Next to that the people that do IPv6 want it to succeed and thus also
put those things neatly into the reverse and forward DNS.
Btw, I know from experience a nice reverse DNS tree setup which has
more entries (non-spammed btw) than most hosting ISP's serve DNS for
websites :) Eat 18mb of ascii dns zones <grin>

There should be a document, which probably needs to be created as
I haven't seen one yet, defining how to make this all work, nice job
for the IETF v6ops group. A nice scenario on what to delegate to end
users and how endusers can easily populate it.

Another solution would be to have synthesis in DNS. There is a
special ICMPv6 which can be used to query a host for it's hostname.

See draft-ietf-ipngwg-icmp-name-lookups-10.txt, though I don't know
the exact status, KAME stacks have it, from ping6 man on BSD:
8<-----------
     -w      Generate ICMPv6 Node Information DNS Name query, rather than
             echo-request.  -s has no effect if -w is specified.
- ----------->8

Thus:
jeroen at bfib:~$ ping6 -v -w hog
PING6(72=40+8+24 bytes) 2001:7b8:3:1e:290:27ff:fe0c:5c5e --> 2001:7b8:3:17:203:47ff:fe3b:3138
33 bytes from 2001:7b8:3:17:203:47ff:fe3b:3138: hog.ipng.nl. (TTL=0:meaningless)
33 bytes from 2001:7b8:3:17:203:47ff:fe3b:3138: hog.ipng.nl. (TTL=0:meaningless)
<SNIP>

One could let a DNS, which hasn't got a reverse tree for a
certain host do the ICMPv6 trick and return the answer.
Tada, even your privacy addressed hosts could do this but
that would totally defeat the purpose of the 'privacy' which
I still find laugable as one can usually say that not more
than 1000 people will be residing in the same /64 or even /48
thus people coming from that prefix will be the same one
especially if the are visiting the same set of websites.
But this all is work for the IETF and the ISP's ofcourse ;)

> I think the power play has actually been really beneficial -- 
> a lot more ISPs have realised that reverse DNS is fundamentally pointless, even
> more so in the Brave New World of IPv6.

The brave new world over here (Europe) works quite well, we simply
don't use 6bone that much anymore thus have been happily using
RIPE's ip6.int + ip6.arpa delegations. ISP's doing the real thing
have already switched to RIR space a long time ago, usually after
having quite an extensive and happy testing time on the 6bone.

Next to that I wonder what you call 'a lot more ISPs' seeing
that, compared to RIR space, not so many are involved at all.
Also seeing the 6bone list quite quiet tells some things, one
of them being that most really can't care less and have more
important things on their minds than playing the power game.

> The other cool thing about the power play has been highlighting the cliq
> involved. Previously it was all somewhat behind the scenes -- at least
> this (terminably long) event has brought most of those 
> involved out into the open.

It was never behind the scenes, it was always quite
clear what was happening except for the fact that
some people didn't realize it. It is the same like
watching a soap show with someone who is following
it totally, they know what is happening but for a
onetime viewer it is yet another single episode.

Greets,
 Jeroen


-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / http://unfix.org/~jeroen

iQA/AwUBQCbt4imqKFIzPnwjEQIksACgnF+zo++AMOnda4DaE7gQDhrje+IAoLJO
1GdLJ5Cda8dH8EjJBay3z/oI
=3/ky
-----END PGP SIGNATURE-----

More information about the 6bone mailing list