Multiple PTRs to single A record

[Barry Margolin]

In article <9hfn1m$1pt at pub3.rc.vix.com>,
Jim D. Kirby <jdkirby at bluebunny.com> wrote:
>I was given some suspect advice recently about router management.  I was
>told that some network management systems require that all IP addresses on a
>router resolve to a single name.  I've been thinking long and hard about
>this for a couple of days and I think I've thunk myself into circular
>reasoning and I can't see straight anymore.  Here's what I think it means:
> 
>in the forward zone we want:
> 
>router-primary        IN A    10.0.0.1
>router-if1            IN A    10.0.10.1
>router-if2            IN A    10.0.20.1
>etc...
> 
>And in the reverse zone we have:
> 
>10.0.0.1             IN PTR   router
>10.0.10.1            IN PTR   router
>10.0.20.1            IN PTR   router
> 
>This means that lookups on the name will always return the address of the
>interface assigned to that name, but reverse lookups on the address would
>always return the router's primary name.
> 
>This was suggested (in a Cisco Press book) because some network management
>systems will see and independant A/PTR pair as a distinct network nodes,
>when in fact they are interfaces on the same node.  I know CA's Unicenter
>TNG behaves this way.  Ciscoworks 2000 does not.
> 
>I was thinking of setting the router's loopback interface as the primary IP
>address for the router, and adding PTR records for each IP address to that
>name.  I can't find anything that says this is against RFC's, but I have
>read on the list that some resolvers will flag a security issue if, on
>receiving a respons for a PTR query, a subsequent query on the name does not
>return the same address.
> 
>Can any gurus confirm that this is good/bad advice?

A PTR record should always point to a name whose A record is the address in
the PTR record.  This isn't stated explicitly in any DNS RFC's, but it
makes logical sense -- consistency checks like this are used to detect
attempted DNS spoofing (e.g. if you have a TCP wrapper that allows
*.yourdomain to access a server, without this check *anyone* could put a
PTR record that resolves their address to somename.yourdomain).

What we do is something like:

router-if1 IN A x.x.x.x
router-if2 IN A y.y.y.y
etc...
router-all IN A x.x.x.x
           IN A y.y.y.y
           ...
router     IN CNAME if1.router

We have our PTR records point to the router-if1 names, but if your NMS
requires that the PTRs all point to the primary name, you could use the
above system and have all the PTR records point to router-all.  Or you
could dispense with the router-all name and the CNAME record, and use:

router     IN A x.x.x.x
           IN A y.y.y.y
           ...

Then have the PTR records all point to "router".

This should allow you to address individual interfaces, and still appease
your NMS.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.