Reverse DNS on Tunnel.. (Not a subnet)
Carmen Sandiego on Tuesday, 30 October 2007 13:57:51
Hi.
Is it possible to get a reverse dns record for a tunnel?
Note: I don't got my own subnet.
Reverse DNS on Tunnel.. (Not a subnet)
Carmen Sandiego on Tuesday, 30 October 2007 14:07:40
Never mind, can se there is on now :o)
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Saturday, 10 November 2007 21:16:28
Hi.
Regarding to the tunnel naming scheme (http://www.sixxs.net/pops/#tunnaming) and
the fact that there isn't any option to set name servers for a tunnel subnet I
guess SixXS doesn't provide this feature. O-)
Regards,
Dennis
Reverse DNS on Tunnel.. (Not a subnet)
Jeroen Massar on Saturday, 10 November 2007 22:40:49
Which is also described in the FAQ: "How do I setup a reverse DNS?" which states "Note that user reverse dns options is only available for subnets and not for tunnels."
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Monday, 19 November 2007 18:07:46
What's the reason for this?
Reverse DNS on Tunnel.. (Not a subnet)
Jeroen Massar on Tuesday, 20 November 2007 10:45:36
Because a tunnel is a transfer net and belongs to our network, while a subnet is located at your network.
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Wednesday, 21 November 2007 11:26:53
That's true, but is that really the blocker why there is no reverse DNS possible on the IP address on the endpoint of the tunnel?
I have one webserver that uses a tunnel to have a IPv6 connection. I find it rather stupid to ask a subnet only to use the reverse DNS option, isn't it?
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Friday, 23 November 2007 08:41:44
I just added something to the wishlist thread about this without noticing it also discussed here.
I agree that it would be nice since that way connections from my tunnel endpoint machine can show up with the rDNS of my network rather than sixxs.net
Reverse DNS on Tunnel.. (Not a subnet)
Jeroen Massar on Friday, 23 November 2007 10:57:38
See the answer in that thread too.
Reverse DNS on Tunnel.. (Not a subnet)
Jeroen Massar on Friday, 23 November 2007 10:57:13
The blocker is that it is a naming policy.
Why would a 'webserver' need reverse DNS?
Please elaborate.
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Thursday, 03 January 2008 12:57:19
just add a mailserver to the box and you really need the rDNS.
The SIXXS.net rDNS does not resolve in forward DNS. example:
2001:960:2:54::2 has rDNS cl-85.ams-04.nl.sixxs.net
but
cl-85.ams-04.nl.sixxs.net does not resolve at all.
Mail Servers which apply HELO/EHLO hostname checks will refuse to accept mails from this host (see http://www.postfix.org/postconf.5.html#smtpd_client_restrictions).
For all list of links which explain HELO/EHLO checks see http://marc.sblog.lu/2007/11/23/why-is-it-important-to-have-a-properly-configured-dns-and-mail-server/
Reverse DNS on Tunnel.. (Not a subnet)
Jeroen Massar on Thursday, 03 January 2008 13:11:03
Resolves just fine:
cl-85.ams-04.nl.sixxs.net. 604800 IN AAAA 2001:960:2:54::2
ams-04.nl.sixxs.net. 604800 IN NS ns2.sixxs.net.
ams-04.nl.sixxs.net. 604800 IN NS ns3.sixxs.net.
ams-04.nl.sixxs.net. 604800 IN NS ns1.sixxs.net.
;; Received 125 bytes from 2001:770:18:8::4#53(ns3.sixxs.net) in 30 ms
Stating that it is broken without actual evidence what is broken is really quite silly.
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Thursday, 03 January 2008 13:40:55
Sorry for that, at the time I wrote the above contribution, it did not resolve from my location.
There is one point remaining: the mailserver would need to use "cl-85.ams-04.nl.sixxs.net" as HELO/EHLO name. Which is not always desirable.
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Saturday, 12 January 2008 23:40:19
A bit late into this discussion, but since noone seems to have answered this yet: A 'webserver' will need reverse DNS if it's going to provide a SSL service. You will need a certificate matching the reverse DNS name, and you should 'own' the name to get such a certificate.
But I don't believe that this is a common problem, or that 'spending' a subnet to overcome the restriction is any problem at all...
Well, I guess you already knew all this, but now I've documented it for you in this thread :)
Bjørn
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Sunday, 13 January 2008 00:34:44
No, we haven't, because its not true :-)
The name in the certificate and the forward name need to match. Also, since your webserver has to send out the certificate before it receives the request you cannot send different certificates for HTTP/1.1 virtual hosting (name based virtual hosts), which basically means that you need a unique (ip,port) combination for each certificate you want to serve.
Matching reverse name (or even existing reverse name) is not a requirement for successful SSL validation. There might be some clueless CAs that want to see that when creating certificates though.
Reverse DNS on Tunnel.. (Not a subnet)
Shadow Hawkins on Sunday, 13 January 2008 19:06:43
Of course you're right. Don't know what I was thinking. Sorry for the confusion.
Bjørn
Posting is only allowed when you are logged in. |