On Tue, Nov 08, 2011 at 10:05:12PM +1100, Mark Andrews wrote:
>
> In message <4eb8f028.8040...@dds.nl>, Seth Mos writes:
> > On 7-11-2011 14:46, sth...@nethelp.no wrote:
> > >>> The practice of filling out the reverse zone with fake PTR record
> > >>> started before there was wide spread support for UPDATE/DNS. There
> > >>> isn't any need for this to be done anymore. Machines are capable
> > >>> of adding records for themselves.
> > >>
> > >> How do I setup this for DHCPv6-PD? Say, I delegate 2001:db8:42::/48 to
> > >> the end user. Should I delegate reverse DNS as well? If so, to whom?
> > >>
> > >> Or is it the CPEs responibility to dynamically add records for whatever
> > >> addresses it sees on the internal LAN(s)? Are there CPEs capable of
> > >> doing this?
> > >>
> > >> Or will the end systems themselves do the update against my DNS server?
> > >> If so, how do I authenticate that?
> > >
> > > With my ISP hat on, I find the idea of customer CPEs updating their
> > > own PTR records to be completely unacceptable. So I guess I'll either
> > > live without the reverse DNS, or use a name server that can synthesize
> > > answers on the fly.
> >
> > That seems like a really nice feature, create a reverse record to spoof
> > a mail server and the reverse DNS will match up.
> >
> > If the domain does not employ SPF it will look legit, forward and
> > reverse won't match up ofcourse. Not sure how many mailservers have
> > issues with that if the reverse matches up.
> >
> > Sounds like a fine way to employ a spam botnet.
>
> Sounds like FUD. Who has trusted the contents of a PTR record in the
> last 2 decades?
>
> > Regards,
> >
> > Seth
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
the same people who trust the contents of an A record in the
last 2 decades.
/bill
