Wildcard DNS
Shadow Hawkins on Friday, 20 October 2006 13:25:10
I was wonderig if it would be allowed to setup a wildcard DNS record to be used for undefined records?
For instance Windows has a meganism to give "Anonymous" IPv6 Addresses which change every now and then. Would it be allowd to give these ips. Anonymous.ipv6.domain.com ?
For every other IP that is staticaly assigned it would be possible to just give the hostname, but not for these "dynamic" addresses.
Wildcard DNS
Jeroen Massar on Friday, 20 October 2006 13:37:57
Asking if something is "Allowed" is a strange question, as there is no law on the internet. If it makes technical sense to do it though is something else, and wildcards in many cases don't make sense, though it all depends on the situation of course. In this situation the wildcard doesn't make sense as the reverse is mostly used to verify that the reverse matches the forward resolver.
Thus when you have eg 2001:db8::1 this maps to 1..... 8.b.d.0.1.0.0.2.ip6.arpa. which an application (eg ssh) will try to resolve, normally this will return a PTR to host.example.com which then has an AAAA to 2001:db8::1. An application can thus verify that host.example.com is 2001:db8::1 and vice versa.
Now when you use a wildcard in the reverse, everything maps to anonymous.ipv6.example.com, but what does anonymous.ipv6.example.com map to?
I guess you are not going to list 2^48's of AAAA's there now are you? :)
As such if you want to have automatically generated reverses, I suggest you take a look at PowerDNS and create a backend for it. Or use BIND's GENERATE statement and generate 2^48's of possible reverses/forwards.
In the end it is much easier to just turn off the (IMHO) silly RFC3041 feature (FAQ). Silly? Yes silly, as your addresses come out of a /64, out of a /48. If somebody wants to track you, they can already simply estimate "company of 200 employees, looking at this type of content thus 1/200 certain that the person is the same", also one can employ cookies and a lot of other aspects to keep track of you. RFC3041 thus only 'helps' in the case where one moves to a different network (different /48) and when one keeps the same EUI-64 address, somebody could note that you first where at network A and later at network B as the EUI-64 address stayed the same.
The cookie then will also have alerted them to that already, which is for them much easier and much stable to track you on.
Wildcard DNS
Shadow Hawkins on Friday, 20 October 2006 14:17:14
I was actualy asking this more in the sense of DNS Pollution / DNS Spam as mentioned in the FAQ (http://www.sixxs.net/faq/sixxs/?faq=dnsspam)
Wildcard DNS
Jeroen Massar on Friday, 20 October 2006 14:21:36
You can't 'spam' using it as the forward/reverse mapping don't match up.
Thus technically it is already silly to do it.
Putting in the reverse something like:
this.is.an.anonymous.address.inside.silly.example.com
is of course dnspollution and should not be even tried or thought of.
That FAQ also mentions "If you have to use SpamCalc then you are already doing the wrong thing." which you can also read as: "if you think it is wrong it most likely is".
Use common sense and otherwise make a strict example.
Wildcard DNS
Shadow Hawkins on Friday, 20 October 2006 14:33:25
I think I will stick to turn off RFC3041.
Posting is only allowed when you are logged in. |