Re: Wildcards in reverse DNS - DNS

This is a discussion on Re: Wildcards in reverse DNS - DNS ; Karl Auer wrote: > On Sat, 2007-01-06 at 23:08 +0100, Sten Carlsen wrote: > >> have two classes of addresses: public and private; the low 64 bits still >> do little for addressing as I see it. Maybe I still ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 27 of 27

Thread: Re: Wildcards in reverse DNS

  1. Re: Wildcards in reverse DNS



    Karl Auer wrote:
    > On Sat, 2007-01-06 at 23:08 +0100, Sten Carlsen wrote:
    >
    >> have two classes of addresses: public and private; the low 64 bits still
    >> do little for addressing as I see it. Maybe I still need more details?
    >>

    >
    > Hm. So having several million trillion addresses PER SUBNET (2^64) still
    > isn't enough for you?
    >

    YES, if they were available. Since they are used for the MAC address
    reall life will provide only ONE out of those 2^64.

    MAC addresses are supposed to be unique so only one out of the possible
    addresses will be used; except if privacy addresses are being taken into
    account.

    Or is there still something I have missed?
    > Regards, K.
    >
    >


    --
    Best regards

    Sten Carlsen

    No improvements come from shouting:

    "MALE BOVINE MANURE!!!"



  2. Re: Wildcards in reverse DNS

    On Sun, 2007-01-07 at 00:15 +0100, Sten Carlsen wrote:
    > > Hm. So having several million trillion addresses PER SUBNET (2^64) still
    > > isn't enough for you?
    > >

    > YES, if they were available. Since they are used for the MAC address
    > reall life will provide only ONE out of those 2^64.


    ?!? You can put as many addresses as you want on one interface - the MAC
    address stuff is only for stateless autoconfiguration. Much more
    importantly, you can have 2^64 different hosts (or 2^64 different
    interfaces) in a single subnet - more if you extend your host part beyon
    64 bits. That is more addresses than there are MAC addresses - more IP
    addresses than there are *possible* MAC addresses...

    Perhaps I misunderstand your point. What exactly is the problem as you
    see it?

    > MAC addresses are supposed to be unique so only one out of the possible
    > addresses will be used; except if privacy addresses are being taken into
    > account.


    There is no problem at all with you and me sharing a MAC address as long
    as we have a router between us...

    Regards, K.

    --
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
    Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h)
    http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)



  3. Re: Wildcards in reverse DNS



    Karl Auer wrote:
    > On Sun, 2007-01-07 at 00:15 +0100, Sten Carlsen wrote:
    >
    >>> Hm. So having several million trillion addresses PER SUBNET (2^64) still
    >>> isn't enough for you?
    >>>
    >>>

    >> YES, if they were available. Since they are used for the MAC address
    >> reall life will provide only ONE out of those 2^64.
    >>

    >
    > ?!? You can put as many addresses as you want on one interface - the MAC
    > address stuff is only for stateless autoconfiguration. Much more
    > importantly, you can have 2^64 different hosts (or 2^64 different
    > interfaces) in a single subnet - more if you extend your host part beyon
    > 64 bits. That is more addresses than there are MAC addresses - more IP
    > addresses than there are *possible* MAC addresses...
    >
    > Perhaps I misunderstand your point. What exactly is the problem as you
    > see it?
    >

    I agree, I was too quick.
    >
    >> MAC addresses are supposed to be unique so only one out of the possible
    >> addresses will be used; except if privacy addresses are being taken into
    >> account.
    >>

    >
    > There is no problem at all with you and me sharing a MAC address as long
    > as we have a router between us...
    >

    As long as MAC-addresses are unique we will not share them. Even if I
    have 1000 devices I "waste" 50+ bits; I guess that this is just my
    natural tendency to not overdo field lengths and not transmit too many
    bits, but also not too few. Network bandwidth is becoming cheaper so it
    matters less.

    My main concern will still be privacy. Let that rest for now, it will
    not be any different whatever I say, I will have to learn to work with
    it. :-)
    > Regards, K.
    >
    >


    --
    Best regards

    Sten Carlsen

    No improvements come from shouting:

    "MALE BOVINE MANURE!!!"



  4. Re: Wildcards in reverse DNS

    > On Sat, Jan 06, 2007 at 11:15:32AM -0800, Clenna Lumina wrote:
    >> Marc Haber wrote:
    >> >> so if it's generating a bad HELO, then thats the fault of the
    >> >> foreign mail server, which is likely not configured correctly to
    >> >> begin with.
    >> >>
    >> >> My personal mail server which sits behind my home NAT, has never
    >> >> failed to get a proper HELO from proper foreign hosts.
    >> >
    >> > It's the connecting server who says HELO, not the server connected
    >> > to.

    >>
    >> That *is* what I said - s/foreign/connecting/
    >>
    >> " so if it's generating a bad HELO, then thats the fault of the
    >> foreign mail server "
    >> ^^^^^^^

    >
    > I am talking about connecting via SMTP to the outside. How is a server
    > behind NAT supposed to know which HELO to use when connecting to the
    > outside?


    If it's connecting to the outside, it would already know which one (the
    domain of the mail it's sending to the destination server, of course...
    it's not exactly magic.) As I've already told you, I've run mail servers
    *behind* (and still do, even my private one on my home network) and
    NEVER had any issues.

    You're once again confusing NAT itself with bad implimentations. Your
    way of thinking is just like people who think all modern SUVs are poor
    off road vehicles with bad gas milage, when there are a few that do
    perform exceptionally well off road and have much better fual economy.

    >> > and 2001:1b18:f:4::4/128 is not _that_ bad. Yes, that's an actually
    >> > workin address.

    >>
    >> How does that equate to a full 16 octet IPv6 address? I'm not all the
    >> keen on all forms of IPv6 ips, but I've never seen it written like
    >> you
    >> have. If you can connect to an IP using a short hand like this
    >> (withotu
    >> breaking anything) that would be great. It's a new concept to get
    >> used
    >> to, but (if it pans out), a welcome one.

    >
    > Quoting from Wikipedia:
    >
    > IPv6 addresses are normally written as eight groups of four
    > hexadecimal digits. For example,
    > 2001:0db8:85a3:08d3:1319:8a2e:0370:7334 is a valid IPv6 address.
    >
    > If a four-digit group is 0000, the zeros may be omitted. For example,
    > 2001:0db8:85a3:0000:1319:8a2e:0370:1337 can be shortened as
    > 2001:0db8:85a3::1319:8a2e:0370:1337. Following this rule, any group of
    > consecutive 0000 groups may be reduced to two colons, as long as there
    > is only one double colon used in an address. Leading zeros in a group
    > can also be omitted. Thus, the addresses below are all valid and
    > equivalent:
    >
    > 2001:0db8:0000:0000:0000:0000:1428:57ab
    > 2001:0db8:0000:0000:0000::1428:57ab
    > 2001:0db8:0:0:0:0:1428:57ab
    > 2001:0db8:0:0::1428:57ab
    > 2001:0db8::1428:57ab
    > 2001:db8::1428:57ab


    Thank you, this helps a lot

    > Having more than one double-colon abbreviation in an address is
    > invalid, as it would make the notation ambiguous.


    How so? If such a notation means zero, wouldn't
    2001:db8:::1428:57ab
    just essentially translate to
    2001:db8:0000:0000::1428:57ab

    I mean, it would seem pointless of course, although I don't think it
    would be ambiguous if they amount to zero (in other words I would of
    thought extra pairs would be essentially discarded in a manner, as they
    wouldn't really make a difference.

    > A sequence of 4 bytes at the end of an IPv6 address can also be
    > written in decimal, using dots as separators. This notation is often
    > used with compatibility addresses (see below). Thus, ::ffff:1.2.3.4 is
    > the same address as ::ffff:102:304.


    Nice. That is exactly what I was hoping for, some way of using old
    adddresses (and with compatibility, may I assume you mean mapping to
    IPv4 equivlents of the DEC portion (for a IPv4 IP within an IPv6 space
    ?)

    > Additional information can be found in RFC 4291 - IP Version 6
    > Addressing Architecture.


    Thank you.

    >> If you could suggest a good page to look at that desribes these sorts
    >> of
    >> things, I would appreciate it.

    >
    > The Wikipedia page on ipv6 is not that bad.


    True.

    >> >> Can you really tell me you can easily remember an address that
    >> >> long?
    >> >> I can remebmer a 4 section IP with out any trouble. Remembering an
    >> >> IPv6 address might be possible, no doubt, but you'd likely have to
    >> >> known it rather well, and have a rather good memory.
    >> >
    >> > If DNS is properly used, you don't need to remember IPv6 addresses.
    >> > And, usually, you only need to remember the prefix anyway.

    >>
    >> Well you still need to enter them at _some_ point or another into DNS

    >
    > yes, once. And one is well advised to use cut&paste for ipv4 as well.


    No arguement there.

    >> While I like how the Germans did it, there is an
    >> obvious benefit to using area codes, especially in a country the
    >> size of the US. When you see a phone number with an area code,
    >> you can easily deduce or determine where it may actually be
    >> located.

    >
    > Actually, we have area codes. They are longer for rural areas, and
    > shorter for the big cities, to allow the actual subscriber number to
    > vary in length according to the size of the local network.


    I see. Not a bad system. I would not say either the German or US system
    is right or wrong, as they oth seem to serve a purpose, though I find
    the German system appears to scale better.




  5. Re: Wildcards in reverse DNS

    On Mon, Jan 08, 2007 at 09:28:39AM -0800, Clenna Lumina wrote:
    > >> Marc Haber wrote:
    > >> >> so if it's generating a bad HELO, then thats the fault of the
    > >> >> foreign mail server, which is likely not configured correctly to
    > >> >> begin with.
    > >> >>
    > >> >> My personal mail server which sits behind my home NAT, has never
    > >> >> failed to get a proper HELO from proper foreign hosts.
    > >> >
    > >> > It's the connecting server who says HELO, not the server connected
    > >> > to.
    > >>
    > >> That *is* what I said - s/foreign/connecting/
    > >>
    > >> " so if it's generating a bad HELO, then thats the fault of the
    > >> foreign mail server "
    > >> ^^^^^^^

    > >
    > > I am talking about connecting via SMTP to the outside. How is a server
    > > behind NAT supposed to know which HELO to use when connecting to the
    > > outside?

    >
    > If it's connecting to the outside, it would already know which one (the
    > domain of the mail it's sending to the destination server, of course...
    > it's not exactly magic.)


    A server connecting to the outside gives its own host name as
    parameter to the HELO command. See here a transcript of sending a
    message from nechayev.zugschlus.de to torres.zugschlus.de:

    $ swaks --to mh+bind-users@zugschlus.de --from mh+bind-users@zugschlus.de --server torres.zugschlus.de
    === Trying torres.zugschlus.de:25...
    === Connected to torres.zugschlus.de.
    <- 220 torres.zugschlus.de ESMTP Exim 4.64 Sat, 13 Jan 2007 13:43:37 +0100
    -> EHLO nechayev.zugschlus.de
    <- 250-torres.zugschlus.de Hello nechayev.zugschlus.de [85.214.68.41]
    <- 250-SIZE 20971520
    <- 250-PIPELINING
    <- 250-STARTTLS
    <- 250 HELP
    -> MAIL FROM:
    <- 250 OK
    -> RCPT TO:
    <- 250 Accepted
    -> DATA
    <- 354 Enter message, ending with "." on a line by itself
    -> Date: Sat, 13 Jan 2007 13:43:37 +0100
    -> To: mh+bind-users@zugschlus.de
    -> From: mh+bind-users@zugschlus.de
    -> Subject: test Sat, 13 Jan 2007 13:43:37 +0100
    -> X-Mailer: swaks v20061116.0 jetmore.org/john/code/#swaks
    ->
    -> This is a test mailing
    ->
    -> .
    <- 250 OK id=1H5iEv-0006t0-7O
    -> QUIT
    <- 221 torres.zugschlus.de closing connection
    === Connection closed with remote host.
    $

    Some receiving servers check whether the HELO/EHLO name presented to
    them matches the reverse DNS entry of the IP that is used to connect
    from and use this as input to spam scoring techniques, thus it is
    important that the connecting server knows which IP the remote side
    will see to issue the correct HELO/EHLO parameter. This is trivial
    (look it up in the DNS) as long as no NAT is in the game - if NAT is
    in the game, the connecting server behind NAT needs to be aware of
    which IP address this particular connectio will be NATted to. Which at
    least involves some extra configuration and is even harder if the
    NATted-to IP address is a dynamic one.

    > As I've already told you, I've run mail servers *behind* (and still
    > do, even my private one on my home network) and NEVER had any issues.
    >
    > You're once again confusing NAT itself with bad implimentations.


    NAT is evil because rarely anybody gets it completely right because it
    is awfully hard to get right. How do you configure your outgoig mail
    server to issue the correct HELO/EHLO name?

    > > Having more than one double-colon abbreviation in an address is
    > > invalid, as it would make the notation ambiguous.

    >
    > How so? If such a notation means zero, wouldn't
    > 2001:db8:::1428:57ab
    > just essentially translate to
    > 2001:db8:0000:0000::1428:57ab
    >
    > I mean, it would seem pointless of course, although I don't think it
    > would be ambiguous if they amount to zero (in other words I would of
    > thought extra pairs would be essentially discarded in a manner, as they
    > wouldn't really make a difference.


    I reckon that 2001:db8:::1428:57ab would be equivalent to
    2001:db8::1428:57ab, and fully expand to
    2001:0db8:0000:0000:0000:0000:1428:57ab.

    > > A sequence of 4 bytes at the end of an IPv6 address can also be
    > > written in decimal, using dots as separators. This notation is often
    > > used with compatibility addresses (see below). Thus, ::ffff:1.2.3.4 is
    > > the same address as ::ffff:102:304.

    >
    > Nice. That is exactly what I was hoping for, some way of using old
    > adddresses (and with compatibility, may I assume you mean mapping to
    > IPv4 equivlents of the DEC portion (for a IPv4 IP within an IPv6 space
    > ?)


    An IPv6 aware service will see an IPv4 connection from a.b.c.d as
    ::ffff:a.b.c.d. This has caused a little grief in the past when a
    supposedly minor software upgrade to a remote box suddenly made it
    IPv6 aware, the IPv4 addresses in /etc/hosts.allow didn't match any
    more and the box started to reject the management ssh connections.

    > >> While I like how the Germans did it, there is an
    > >> obvious benefit to using area codes, especially in a country the
    > >> size of the US. When you see a phone number with an area code,
    > >> you can easily deduce or determine where it may actually be
    > >> located.

    > >
    > > Actually, we have area codes. They are longer for rural areas, and
    > > shorter for the big cities, to allow the actual subscriber number to
    > > vary in length according to the size of the local network.

    >
    > I see. Not a bad system. I would not say either the German or US system
    > is right or wrong, as they oth seem to serve a purpose, though I find
    > the German system appears to scale better.


    It causes some grief for international operators, as I have been
    recently informed in private mail.

    Greetings
    Marc

    --
    -----------------------------------------------------------------------------
    Marc Haber | "I don't trust Computers. They | Mailadresse im Header
    Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
    Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835



  6. Re: Wildcards in reverse DNS

    On Tuesday 09 January 2007 04:28, Clenna Lumina wrote:
    > > On Sat, Jan 06, 2007 at 11:15:32AM -0800, Clenna Lumina wrote:
    > >> Marc Haber wrote:


    > > Quoting from Wikipedia:
    > >
    > > IPv6 addresses are normally written as eight groups of four
    > > hexadecimal digits. For example,
    > > 2001:0db8:85a3:08d3:1319:8a2e:0370:7334 is a valid IPv6 address.
    > >
    > > If a four-digit group is 0000, the zeros may be omitted. For
    > > example,
    > > 2001:0db8:85a3:0000:1319:8a2e:0370:1337 can be shortened as
    > > 2001:0db8:85a3::1319:8a2e:0370:1337. Following this rule, any group
    > > of consecutive 0000 groups may be reduced to two colons, as long as
    > > there is only one double colon used in an address. Leading zeros in
    > > a group can also be omitted. Thus, the addresses below are all valid
    > > and equivalent:
    > >
    > > 2001:0db8:0000:0000:0000:0000:1428:57ab
    > > 2001:0db8:0000:0000:0000::1428:57ab
    > > 2001:0db8:0:0:0:0:1428:57ab
    > > 2001:0db8:0:0::1428:57ab
    > > 2001:0db8::1428:57ab
    > > 2001:db8::1428:57ab

    >
    > Thank you, this helps a lot
    >
    > > Having more than one double-colon abbreviation in an address is
    > > invalid, as it would make the notation ambiguous.

    >
    > How so? If such a notation means zero, wouldn't
    > 2001:db8:::1428:57ab
    > just essentially translate to
    > 2001:db8:0000:0000::1428:57ab



    The problem with more than one '::' in an IPv6 address happens when they
    are separated.

    What is the full version of the following address?

    2001:db8::1428::57ab ?

    is it 2001:0db8:0000:0000:1248:0000:5718
    or is it 2001:0db8:0000:1248:0000:0000:5718 ?


    --
    Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/~paulcol
    Asking for technical help in newsgroups? Read this first:
    http://catb.org/~esr/faqs/smart-questions.html#intro



  7. Re: Wildcards in reverse DNS

    On Sun, Jan 14, 2007 at 10:03:22AM +1100, Paul Colquhoun wrote:
    > The problem with more than one '::' in an IPv6 address happens when they
    > are separated.
    >
    > What is the full version of the following address?
    >
    > 2001:db8::1428::57ab ?


    undefined, I would say. Software seems to agree:

    $ sudo ip addr add dev eth0 2001:db8::1428::57ab/128
    Error: an inet prefix is expected rather than "2001:db8::1428::57ab/128".
    $ sudo ip addr add dev eth0 2001:db8:1428::57ab/128
    $ sudo ip addr show dev eth0
    2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:17:08:2e:59:87 brd ff:ff:ff:ff:ff:ff
    inet6 2001:db8:1428::57ab/128 scope global tentative
    valid_lft forever preferred_lft forever
    $

    Greetings
    Marc

    --
    -----------------------------------------------------------------------------
    Marc Haber | "I don't trust Computers. They | Mailadresse im Header
    Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
    Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835



+ Reply to Thread
Page 2 of 2 FirstFirst 1 2