[ipv6-ops] Re: mail filtering based on reverse DNS

Aaron Hughes aaronh at bind.com
Thu Aug 11 17:59:08 CEST 2011 

While I agree MX servers should have reverse DNS and even though it is a problem, I am sure they will be informed soon enough by the senders that they are misconfigured, I have also been looking at how to cover this for SLAAC and PD/DHCPv6 implementations...

One thing I have done (which certainly does not always work) is:

; Auto respond to reverse queries with any wildcard and a zero.
;
*                               		IN      PTR     v6host.ipv6.6connect.net.
*.0                             		IN      PTR     v6host.ipv6.6connect.net.
*.0.0                           		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0                         		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0                       		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0                     		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0                   		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0                 		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0               		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0             		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0           		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0         		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0       		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0    			IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0   		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0			IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN      PTR     v6host.ipv6.6connect.net.
*.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0		IN      PTR     v6host.ipv6.6connect.net.

on the bottom of each zone file. This of course requires a match of a zero. I thought about what this might look like in some more expanded form and gave up, but if others have ideas about how to accomplish this I would be all ears.

Unfortunately, not enough people are discussing this to come up with a good solution outside of turning off reverse DNS verification. Afaik, this is going to just have to stop being used and will we should be looking into other methods of validation.

Cheers,
Aaron


On Thu, Aug 11, 2011 at 03:19:35PM +0100, Tim Chown wrote:
> Our MXes have been dual-stack for a long time and reject mail from systems that have no reverse DNS entries.  We would expect MX operators to include reverse entries.
> 
> The only time I know for sure that that bit us was when the IETF tried its secondary/backup facility for a few days, and they hadn't added reverse entries for the IPv6 MXes, so we rejected IETF mail.  Unfortunately the IETF servers did not retry over IPv4, so I for one dropped off some IETF lists.
> 
> It would be interesting to know what proportion of spam can currently be 'intelligently' dropped by enforcing a reverse lookup.  How applicable does the technique remain today?
> 
> Tim

-- 

Aaron Hughes 
aaronh at bind.com
+1-831-824-4161
Key fingerprint = AD 67 37 60 7D 73 C5 B7 33 18 3F 36 C3 1C C6 B8
http://www.bind.com/

More information about the ipv6-ops mailing list