Reverse DNS and RFC 2317
Joseph S D Yao
jsdy at cospo.osis.gov
Thu May 18 17:07:41 UTC 2000
On Thu, May 18, 2000 at 12:39:37PM -0400, Gary Wardell wrote:
> Oh, so all I need is to find out the name, or in this case get my ISP to
> point to some name, any name, and then put an A record in my forward zone
> file with that name and everything then will be cool???
NO.
You could put floppus.mcfingus.mccool as a name in your zone file. If
you are running BIND 8, as you should be, it will be rejected. If you
are running an old BIND 4 or a recent BIND 4 with mods, it will be
accepted. But so what? Nobody in the world, except your users, would
ever think that it was there. And it's not clear that your users would
ever think that. ;-)
The name has to be reachable by looking it up from the root name
servers on down.
You and your ISP between you have to agree to a name that is a VALID
forward-lookup name in either your DNS or theirs, and have the reverse
DNS return a PTR to that name. Then a reasonable verifier will take
your IP address, do a reverse lookup on that, do a FORWARD lookup on
the name returned, and find that the two match!
Or, it will take your name, do a forward lookup to find the IP address,
do a reverse lookup to find its name, and compare the names. If they
don't match, try doing a forward lookup on the returned name, and see
if the resulting IP address matches the earlier lookup. If so, we know
that we're dealing with some kind of valid IP address, which just has
two independently owned and operated names. ;-)
--
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list