Will IPv6 kill double-reverse lookups?

David Carmean dlc-b9 at halibut.com
Sun Oct 31 23:35:34 UTC 2004

Presuming that a party/organization wants to limit "information leakage"
by maintaining a split DNS system, and presuming that they choose to cater
to the dubious practice of double-reverse-lookups a-la TCP Wrappers and
others, with IPv4 it is easy enough to fill the "outside" in-addr.arpa
and forward zones with generic hostnames with matching PTR and A records.
NAT makes this even easier. 

IPv6 makes this monumentally impractical, if not technically infeasible.
With typical firewall policies, not only will we not have NAT or ALGs to 
limit the range of source addresses visible outside to a single "subnet" 
(and therefor a single zone), EUI-64 host address autoconfiguration and 
RFC-3041 address privacy extensions mean that 2^65 (forward and reverse)
entries would have to be preconfigured.

I was going to ask here if the BIND developers had thought about a feature
to synthesize matching ip6.arpa and forward record sets to satisfy TCP
Wrappers and the like, but then I began to wonder whether this problem
will serve as an agitator to get people to stop fooling themselves into
using DNS for endpoint authentication/authorization.

What are those of you (all five of you, maybe?) with more than a handful 
of deployed IPv6 nodes doing about this question?  

More information about the bind-users mailing list