ogud> The usage case that got brought up at the mike ``PTR records are ogud> used by logging systems'' got me thinking ``when does a logging ogud> system need this information'' and the answer is I think ``when a ogud> human is looking at the log'' in all other cases if the system is ogud> running at high speed the delay in looking up addresses is just ogud> too long.
Depends on the environment and application. For enterprise and security, seems more common to do PTR lookups in real time. For web sites and really high traffic volume, more common to post-process. ogud> ``End-user'' addresses do not need a PTR record but could be ogud> simple wild card responses like ``[[Customer.HNL.biz-ISP.net]]'' ogud> as none is complaining about ogud> 123.136.133.31.in-addr.arpa. 3600 IN PTR [[dhcp-887b.meeting.ietf.org]]. ogud> or ogud> 9.5.9.d.7.4.e.f.f.f.9.e.f.c.a.2.6.3.1.0.0.7.3.0.c.7.6.0.1.0.0.2.ip6.arpa. 15 ogud> IN PTR ogud> s2001067c037001362acfe9fffe47d959.hotel-wireless.v6.[[meeting.ietf.org]]. Other than mail/spam filtering, these do seem to work most places. That's why ISPs have mostly gotten away with wildcarding PTRs in v4. ogud> That to me indicates that people use log post processing all the ogud> time and Intrusion Detection Systems are doing PTR lookups by ogud> policy For IDS are their expectations any different than log ogud> processors? and if IDS's are taking decisions based on the ogud> content of PTR records what granularity do they need? IDSs presumably have a more "known" and stable user population; things that don't match that tend to be assumed as hostile. Not sure it's a good assumption but I suspect most IDS teams assume that they (or at least their organization) have some control over A/AAAA/PTR cleanliness and response time. Enterprises are also more likely to have their IP addr mgmt, DHCP and DNS talking. This leads to higher quality PTRs than in consumer ISP or wireless hotspot environments.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
