reverse dns for IPV6 ranges
Mark Andrews
marka at isc.org
Tue Mar 6 01:32:42 UTC 2012
In message <1330991057.3861.10.camel at tardis>, Noel Butler writes:
>
> > In message <DUB109-W57AA00705E65417A6C57E4AC500 at phx.gbl>, hugo hugoo writ
> es:
> > >
> > > Dear all,
> > >
> > > Can anyone help me with its experience on reverse dns for IPV6?
> > > Presently, when we reverse an IPV4 subnet for clients, we configure all
> =
> > > the reverse for the whole subnet.
> > > It is a lot of PTR's but perfectly manageable.
> > >
> > > With IPV6, the number of IP's that we will receive is amazing....
> > > So...it seems impossible for every single IPV6 inthe range to configure
> > > a PTR.
> > >
> > > So...what to do?
> > > What is the common practice?
> > > What is possible with BIND?
> > >
> > > Thanks in advance for your answer.
> >
> > Let the machines register their own PTR record using TCP as the authentic
> ator.
> >
> > update-poliy {
> > grant . tcp-self * PTR;
> > };
>
> Thats dangerous 14m1337.u.suck.hax0r.org - yeah, it would be
> highly abused and why most ISP's don't do/allow it :)
And is a baseless fear as it can be tracked back to the customer
involved or does the ISP permit customers to spoof each other or
permit the public to spoof its customers? This isn't wide open
UPDATE. Its 1.2.3.4 can update 4.3.2.1.IN-ADDR.ARPA/PTR and only
4.3.2.1.IN-ADDR.ARPA/PTR if the update request comes over TCP.
> But for a small company that has trustworthy staff, maybe, but then mail
> servers will start rejecting some of them trying to send directly
> because theres likely no matching A record.
The machine adds its own A / AAAA records using TSIG. These can then
be updated as it moves around the world.
> > Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list