On 9/8/09 9:15 AM, Mark Andrews wrote:
In message<4aa58174.6010...@mail-abuse.org>, Douglas Otis writes:
Mark,
There are valid reasons to formally make statements about a practice,
whether that rules the day is a different matter. There is a practice
promoted, in respect to IPv4, where the dynamic nature of an IP address
is to be divined by labels used in the reverse DNS PTR records. While a
large number of legitimate MTAs publish PTR records, there is also a
number that do not. This varies from region to region.
Which was always a error prone practice.
By Error Prone, you mean divining whether an IP address is dynamic by
discovering whether the reverse PTR record:
1) Exists
2) Host specific
3) Does not contain labels inferring dynamic assignment
Perhaps suggesting this practice not be continued with IPv6 could be
sound advice.
As a practical matter, does it make sense to continue this practice for
IPv6? Our experience found that checking for these records has required
much greater resources due to high levels of abuse and large numbers of
reverse DNS timeouts delaying connection disposition. While legitimate
MTA often have PTR records, not all do. Illegitimate MTA lacking an
operational server in the reverse address space end up comprising the
majority of traffic seen.
In theory there is nameserver for every address. You should be
complaining to the RIR's / LIR's if the ISP's are not running
nameservers after requesting delegation. All delegations are
requested.
Engineering is about dealing with existing situations and providing
advice in how to avoid making problems worse. Reverse DNS timeouts have
been persistent. Suggesting that people complain represents a political
solution out of place within a WG document or even likely to be effective.
Illegitimate MTA'a may not have a PTR but a server should still be
responding with a negative response.
This describes ideal DNS management. It seems unlikely that after
introducing IPv6 into email, represented by regions notorious for poorly
maintained reverse DNS, that this problem will improve, despite complaints.
Also I don't see what this has to do with populating the reverse
tree or not. It may have to do with delegating only to CPE equipment
but that is a orthogonal issue.
Advise regarding the reliability of the reverse DNS space might temper
insistence that reverse DNS labels be used to designate whether address
assignment is dynamic. The sheer scale of this space makes mitigation
efforts aimed at identifying problematic addresses impractical.
-Doug
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
