HP gethostbyaddr errors

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Mon Apr 17 07:38:08 UTC 2000 

> > -----Original Message-----
> > From: Mark.Andrews at nominum.com [mailto:Mark.Andrews at nominum.com]
> > Sent: Monday, 17 April 2000 15:45
> > To: James Hall-Kenney
> > Cc: bind-users at isc.org
> > Subject: Re: HP gethostbyaddr errors 
> > 
> > 
> > 
> > > All,
> > > 
> > > We have a customer who is having trouble with BIND 8.2.2-P5 
> > on HP-UX 11.
> > > 
> > > They use router management software (Spectrum on Solaris) 
> > that maps the
> > > network topology and uses reverse resolution to determine 
> > the device name of
> > > the router.  Because they are monitoring multiple 
> > interfaces on the router,
> > > the name in the management software will change regularly.  
> > To circumvent
> > > this, we have created the reverse resolution entries to all 
> > resolve to the
> > > same name ie:
> > >      
> > >      Forward Resolution entries:
> > >       
> > >      interfacea        129600  IN      A       10.13.255.5 
> > >      interfaceb        129600  IN      A       10.13.128.1 
> > >      interfacea        129600  IN      A       10.13.130.1 
> > >      
> > >      Reverse Resolution entries:  (13.10.in-addr.arpa) 
> > >       
> > >      5.255       129600  IN      PTR     interfacea.ssi.govt.nz. 
> > >      1.128       129600  IN      PTR     interfacea.ssi.govt.nz. 
> > >      1.130       129600  IN      PTR     interfacea.ssi.govt.nz.
> > > 
> > > They have a different management product - HP Network Node 
> > Manager running
> > > on HP-UX 11.  For some reason, this host seems to want to 
> > verify that the A
> > > record matches the PTR.  We get a message in syslog: 
> > >   gethostbyaddr : timcr100.ssi.govt.nz != 10.213.130.1
> > 
> > 	This message indicates that when gethostbyaddr did a reverse
> > 	lookup on 10.213.130.1 it found the name was 
> > timcr100.ssi.govt.nz.
> > 	It then performed a forward lookup on timcr100.ssi.govt.nz
> > 	and didn't find 10.213.130.1 as a valid address for
> > 	timcr100.ssi.govt.nz.
> > 
> > 	This could be due to a error in the DNS 
> 
>    So you would consider the configuration discussed to be invalid as 
>    the A records do not match the reverse records, even intentionally?
> 
>    James

	If the PTR points to a name that does not have corresponding A
	record the library routine assumes you are attempting to reverse
	spoof the server.

	Anyone who controls the reverse DNS for their address space can
	say there machine (via reverse lookup) has any given name.  It
	is only by performing a forward lookup on the name and checking
	that the address is listed is there some level of trust in the
	answer.

	I could simple arrange for my PTR records to say that all my machines
	were "sytec.co.nz".  Applications / libraries that just trust the
	PTR record would think I was "sytec.co.nz" if I connect to them.
	Those that perform the consistancy check would log the mismatch
	and treat me as unnamed or, if truly paranoid, someone with hostile
	intent.

	Depending upon the vendor, this consistancy check is built into
	the application or into the C library.

	Mark
> 
> >     or to a limitation in
> > 	gethostbyname (called by gethostbyaddr) which limits the number
> > 	of addresses to 35.
> > 
> > 	Mark
> > 
> > > 
> > > As this box is managing over 2,000 addresses, it is doing a 
> > lot of name
> > > resolution and filling up the syslog on the host very 
> > quickly.  Note that
> > > the management works OK.  The customer called HP to get 
> > them to resolve the
> > > problem and HP are saying that the DNS configuration of 
> > mismatched A and PTR
> > > records is "broken".  The engineer has quoted from page 64 
> > of O'Reilly DNS &
> > > BIND:
> > > 
> > >      "To state as a general rule: if a host is multihomed 
> > create an address 
> > >      record for each alias unique to one address. Create a 
> > CNAME record for 
> > >      each alias common to all the addresses"
> > >      
> > > Of course, this method doesn't provide for a single name 
> > per device on the
> > > Spectrum management server.
> > > 
> > > My questions:
> > > 1.  Is the described method considered to be a broken 
> > implementation?  I
> > > haven't seen any explicit statements in the RFC's that 
> > state that the PTR
> > > MUST match the A record.
> > > 2.  Any suggestions on how to work around this other than 
> > force a change
> > > with HP?
> > > 
> > > TIA
> > > 
> > > J.
> > > 
> > > James Hall-Kenney
> > > Sytec Resources Limited
> > > 	
> > > 
> > > 
> > > 
> > > 
> > --
> > Mark Andrews, Nominum Inc. / Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: 
> > Mark.Andrews at nominum.com
> > 
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list