Joe Abley <jabley@hopcount.ca> writes:
On 2013-10-15, at 10:57, Bjørn Mork <bjorn@mork.no> wrote:
Mark Andrews <marka@isc.org> writes:
People keep saying the PTR records don't mean anything yet still demand really strong authentication for updates of PTR records. TCP is more than a strong enough authenticator to support update from self.
This sounded like an excellent idea at first, but then I started thinking: As a home user, would I really want to give anyone with access to my network the right to change my reverse delegation?
I think what you'd be doing is giving anybody you have assigned an IPv6 address to the ability to update the PTR (or a delegation, since Mark suggested that too) for that particular address.
So, it's not "my reverse delegation", it's "my 2^80 or fewer reverse delegations" (if you've been assigned a /48).
Ah, right. I understood the proposal as "any address within then /48 can update the delegation for the /48 reverse". But if that would be 2^80 distinct delegations or PTRs, then I am worrying about luser stupidiy and the ability to DoS the name server. I guess this can be combined with some sort of limit, making it fly? Still don't see the advantage of being able to delegate if it's only single address delegations. But allowing a limited number of PTR updates based on TCP sounds like a nice idea. Going to consider that. For the full /48 delegation I don't see any other option than making it part of a self service portal. But the marketing/product droids usually don't want that sort of "complex" techical stuff for retail users. Probably for good reasons... In any case: All of you should expect legitimate, technical brilliant users attempting to connect to your SMTP servers from IPv6 addresses with no PTR records. This is not going to go away. You are of course free to refuse those connections, but personally I find a that rather arrogant and pretty stupid decision. The existence of a PTR record is one of many factors to consider for your spam filter. There never has been any reason to make it an absolute requirement, and I am pretty sure the score needs to be lowered with IPv6. Bjørn (yes, my mail server has a proper IPv6 reverse record, but that's only because I am in a position to create the reverse delegation....)