In message <5272E4A6.9080601@dcrocker.net>, Dave Crocker writes:
On 10/30/2013 9:55 AM, Andrew Sullivan wrote:
As I think I've said before on this list, when we tried to get consensus on that claim in the DNSOP WG at the IETF, we couldn't. Indeed, we couldn't even get consensus on the much more bland statement, "Some people rely on the reverse, and you might want to take that into consideration when running your services."
Now, IETF non-consensus on the way the Internet works is hardly a surprise, but I thought I'd point this out just in case people want to be prepared for flames from people who feel strongly about the matter.
I'm beginning to think that documenting failures to get consensus could be almost as important as documenting successes, in order to provide a basis for countering folks who claim something is required, when there's explicit public experience that it isn't.
Looks to me that Andrew's note is an example of that potential benefit. Rather than having to have someone remember this stuff, anyone could point to the 'failure' document.
There is consensus. There SHOULD be PTR records. This is even documented in various RFC. Now the methods IPS's use to do this for home customer addresses with IPv4 don't scale to IPv6. They also don't let the home customer specify the name in the PTR record. Additionally ISP's use PTR records as a revenue source by only offering to set them to commercial customers. Part of this is that it is often a manual proceedure. That said it is possible to completely automate the secure assignment of PTR records. It is also possible to completely automate the secure delegation of the reverse name space. See http://tools.ietf.org/html/draft-andrews-dnsop-pd-reverse-00 (yes I am aware of the typos which I will fix once the submission window re-opens). Similar techiques can be applied to individual IPv4 delegations. You add PTR records rather than NS and DS records. In named the SIG(0) signed UPDATE requests are granted using update-policy { grant * self *; }; when setting up the reverse zone. The code to do it is over a decade old at this point. It just requires willingness to do it. For ISP's to come out of the 90's and use the technology that was designed to allow this to happen. Mark
d/
-- Dave Crocker Brandenburg InternetWorking bbiw.net
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org