Reverse address entries
Novosielski, Ryan
novosirj at ca.rutgers.edu
Fri Jul 12 15:39:07 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/12/2013 11:23 AM, Sam Wilson wrote:
> In article
> <mailman.736.1372773195.20661.bind-users at lists.isc.org>, Steven
> Carr <sjcarr at gmail.com> wrote:
>
>> On 2 July 2013 14:42, Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
>>> Can anyone here give examples of the types of various software
>>> that will not operate without a PTR record?
>>
>> There have already been numerous listings of software that
>> require reverse lookups. SMTP being the main one. Other services
>> like IRC and some databases (Oracle/MySQL) can also be configured
>> to require properly working reverse lookups.
>
> "... can also be configured ..." - see below.
>
>>> I agree that if PTR records exist then they should match an A
>>> record. My experience (and IIRC correctly the word of several
>>> RFCs) is that PTRs are not required for most things to work.
>>
>> RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1...
>>
>> Every Internet-reachable host should have a name... Make sure
>> your PTR and A records match. For every IP address, there should
>> be a matching PTR record in the in-addr.arpa domain. If a host
>> is multi-homed, (more than one IP address) make sure that all IP
>> addresses have a corresponding PTR record (not just the first
>> one). Failure to have matching PTR and A records can cause loss
>> of Internet services similar to not being registered in the DNS
>> at all. Also, PTR records must point back to a valid A record,
>> not a alias defined by a CNAME.
>
> Sorry for the delay in returning to this. RFC 1912 says:
>
> Status of this Memo
>
> This memo provides information for the Internet community. This
> memo does not specify an Internet standard of any kind. ...
>
> To make myself clear, I'm a big fan of correct PTR records and we
> try to make sure that our reverse DNS is fully populated. I do not
> regard lack of a valid PTR record to be a reason to refuse
> connection except, perhaps, in very particular circumstances, for
> instance where it might be part of a trust stance. That would be
> by agreement between consenting adults, not the law of Internetland
> in general.
Came across another instance where it may matter: TCP Wrappers.
Although the case there was a bit more peculiar -- rr.net does not
appear to have FORWARD DNS for at least some of its dynamic address
space. So you can get a PTR, and then address validation fails on the
forward address. I guess perhaps if you had no PTR it would never go
that far.
- --
____*Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer
|| \\ and Health | novosirj at rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark
`'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlHgIxoACgkQmb+gadEcsb4E7ACgzTQeo6E2lLrzu5ld7DhWWYq8
9VAAoKpte8yzfY/aXQIEsvlOLDfKv7qz
=Dk3L
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list