CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Op 9-3-2011 15:08, 
ulrich AT cacert.org
 schreef:
> this topic now pops up several times ...

Not quite the same problem every time though.

> What is the problem, to add a Reverse IPv6 DNS record ?

That has been done ages ago. Has it occurred to you that the
user-reported error might have been an intermittent problem?

Just check the state now:

]$ host 2001:7b8:3:9c::245
5.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.c.9.0.0.3.0.0.0.8.b.7.0.1.0.0.2.ip6.arpa
domain name pointer wwwmail.cacert.org.
5.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.c.9.0.0.3.0.0.0.8.b.7.0.1.0.0.2.ip6.arpa
domain name pointer cacert.org.
5.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.c.9.0.0.3.0.0.0.8.b.7.0.1.0.0.2.ip6.arpa
domain name pointer www.cacert.org.

The response is completely as expected.
I'm suspecting that there may have been a problem with the
DNS servers responsible for this ip6.arpa subdomain last night.
Please note that these are not CAcert name servers but BIT
name servers -- it's their IPv6 address space.

> ...
> your host 2001:7b8:3:9c::245 is lacking a reverse DNS record:

A better way to phrase this would be:
  At some particular point in time my computer was unable to retrieve a
  reverse DNS record for the IPv6 address 2001:7b8:3:9c::245.
See the difference?

> This might cause problems with email delivery:
> 
> NOQUEUE: reject: RCPT from unknown[2001:7b8:3:9c::245]: 554 5.7.1
> <unknown[2001:7b8:3:9c::245]>: Client host rejected: We don't accept mail
> from hosts 
> without a DNS record; 
> from=<returns AT cacert.org>
>  
> to=<root AT godiug.net>
> proto=SMTP helo=<www.cacert.org>

That is a choice of the mail server operator -- there is no requirement
to reject mail from IPv6 addresses with failing or missing reverse DNS
record. It is an often-made choice for the sake of spam blocking, but
it's a choice that reduces interoperability, like many other spam
blocking schemes. Use at your OWN risk ...

Regards,
-- wytze