-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <m1aw7ii-0000...@stereo.hq.phicoh.net>, Philip Homburg <pch- dn...@u-1.phicoh.com> writes
>In your letter dated Fri, 29 Apr 2016 13:54:44 +0200 you wrote: > >>Having said all of that, I don't see any strong requirement that this >>document provide motivation for reverse DNS solutions for IPv6. People >>ask about the problem, and want solutions, and it would be good to have >>a document to point them to with some help. > >The problem I have with the current line of thinking (Section 2.4 in this >draft) is that there is a big disconnect between where reverse DNS is >needed and what ISPs are trying to do. "needed" is rather a strong word.... historically reverse DNS was a de facto requirement for access to some anonymous FTP servers (a use case that is now rather long in the tooth) and it was seized on by mail systems that were trying to deal with spam because a) checking for consistency between forward and reverse DNS and any associated HELO command gave them a (totally unjustified) warm feeling about the identity (and bona fides) of the machine sending them email b) some reckoned to parse the name (in an entirely ad hoc and error prone manner) and thereby identify mass-market ADSL/cable connected machines that they did not think should be sending email directly. I am not aware of ANY other protocols that have ever relied on the presence of reverse DNS -- but experts here may recall some ?? Latterly, the existence of reverse DNS has been used as a "clue test" for IPv6 email delivery (server to server, not email submission by end user machines) and this is documented in the M3AAWG document on IPv6 email: <https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6 _Policy_Issues-2014-09.pdf> which says In the absence of a more appropriate mechanism for identifying hosts intended to act as outbound MTAs by their owners, M3AAWG recommends rejecting email from host IPv6 addresses without reverse DNS records. This technique should be deprecated once a more suitable standard mechanism is developed. So in fact "reverse IPv6 DNS everywhere" risks being counterproductive for email (or at best we'll be back in the ad hoc parsing world). >Whether we like it or not, mail admins are adding reverse DNS checks. >In fact, some really big mail providers require reverse DNS. Yes, that's what M3AAWG is documenting... but if you roll out reverse DNS everywhere I confidently predict they will rapidly cease to bother ! >So, ISPs not doing reverse DNS for IPv6, like my current ISP, are making it >impossible to use your own mail server to deliver mail over IPv6. I think >they are doing a serious disservice to the open internet. Mayhap -- but reputation services for IPv6 are still in their infancy and so there needs to be some way to distinguish "legitimate" mail servers from malware infected end-user devices. In my view the effort should all be devoted to addressing reputation services for IPv6. In particular there is no standard for documenting the "cut point" (what the allocation unit was to a particular customer) and that is essential information for linking delivery events to an entity and thereby forming a view as to their legitimacy (or otherwise) If lots of work is to be done on reverse lookups in IPv6 (which I would argue is entirely self-defeating) then being able to do a reverse lookup which returns "/48" or "/56" or whatever is, in my view, significantly more useful. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBVyNUmTu8z1Kouez7EQL3QgCg+bONYXsKXzFP+8BGsyF1B7sezBgAnRgu zardRJpsJ6yicNFSijnV2EbB =25R6 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
