Re: [DNSOP] I-D Action: draft-ietf-dnsop-isp-ip6rdns-01.txt

"Howard, Lee" <> Wed, 23 December 2015 15:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 50EEE1A1B24 for <>; Wed, 23 Dec 2015 07:56:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.265
X-Spam-Level: **
X-Spam-Status: No, score=2.265 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_EQ_MODEMCABLE=0.768, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, J_CHICKENPOX_44=0.6, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gaQ7kKV3KNXT for <>; Wed, 23 Dec 2015 07:56:45 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTP id 50E0A1A1B1E for <>; Wed, 23 Dec 2015 07:56:44 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.20,469,1444708800"; d="scan'208,217";a="952918619"
Received: from unknown (HELO ([]) by with ESMTP/TLS/AES256-SHA; 23 Dec 2015 10:53:05 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 23 Dec 2015 10:56:22 -0500
Received: from ([]) by ([]) with mapi id 15.00.1104.000; Wed, 23 Dec 2015 10:56:22 -0500
From: "Howard, Lee" <>
To: George Michaelson <>, dnsop WG <>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-isp-ip6rdns-01.txt
Thread-Index: AQHRPQmOiTF1VNg0ZU+xigL6/1PIy57YuuyA
Date: Wed, 23 Dec 2015 15:56:21 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_D2A02C9AD1A6CLeeHowardtwcablecom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-isp-ip6rdns-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Dec 2015 15:56:49 -0000

From: George Michaelson <<>>
Date: Tuesday, December 22, 2015 at 5:39 PM
To: dnsop WG <<>>, Lee Howard <<>>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-isp-ip6rdns-01.txt

I want to dispute one part of this: the "DNSSEC may not scale well" part. With thanks to Ray Bellis, APNIC has been running an evldns webserver which signs on the fly, and we have achieved north of 3000 signs/second from this code on a smallish cloud node signing on demand.

Can you quantify "smallish"?  Unfortunately, the folks I know who can tell me our PTR query rate are out for a couple of weeks, but it would stand to reason that the RIRs would get a lot of qps.

Our model was unique domains (the 1x1 ad system) but Ray coded a simple ring buffer and for the repeat queries, there was a demonstrable cache benefit to keeping some amount of signed state live without having to re-sign.

Makes sense.

When this part of the text was first written, 5-6 years ago, the statement was truer than it is now.
I could rewrite to say, "Signing PTR records on the fly may be scalable, especially if records thus signed are cached, but large-scale experience is currently limited."
Ralf's additional note about DDoS scenarios is well taken, but I have a feeling APNIC is under constant attack.

In other words: more input needed.


I think that on-the-fly DNSSEC for IPv6 is tractable.


On Wed, Dec 23, 2015 at 5:48 AM, <<>> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Domain Name System Operations Working Group of the IETF.

        Title           : Reverse DNS in IPv6 for Internet Service Providers
        Author          : Lee Howard
        Filename        : draft-ietf-dnsop-isp-ip6rdns-01.txt
        Pages           : 13
        Date            : 2015-12-22

   In IPv4, Internet Service Providers (ISPs) commonly provide IN-
   ADDR.ARPA information for their customers by prepopulating the zone
   with one PTR record for every available address.  This practice does
   not scale in IPv6.  This document analyzes different approaches and
   considerations for ISPs in managing the zone for IPv6
   address space assigned to many customers.

The IETF datatracker status page for this draft is:

There's also a htmlized version available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at<>.

Internet-Drafts are also available by anonymous FTP at:

DNSOP mailing list<>


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.