Setting up reverse DNS correctly

Thu Jul 15 20:46:34 UTC 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Coutts wrote:
| In article <cd4233$cen$1 at sf1.isc.org>, cching at mqsoftware.com says...
|
|>I recently had a sent e-mail to comcast.net bounced back to me saying
|>something about "only valid hosts may send."  Tracking it down, I
|>found (using www.dnsreport.com) that I might not have reverse DNS set
|>up correctly for my domain name.  Could somebody help me out with
|>this?  Here is the db file for the domain (unaltered).  The named
|>daemon is bind 9 (not sure of the exact version).
|>
|>I have tried a few things in the last couple of days, but haven't
|>gotten dns report to tell me it's set up right, so I've set it back
|>the way it was originally.  Thanks for any help and let me know if I
|>need to post any other information!
|>
|>Cheers,
|>Craig
|
| ***************** REPLY SEPARATER ********************
| Unless your ISP (XO Communications) has delegated the authority for
your IP
| range to you, there is little you can do to get correct reverse
lookup. For
| further info see:
|
|    http://server2.yellowhead.com/reverse.htm
|
| Having said that, most MTAs that check for PTR, only check for the
existence of
| a PTR record, and not that it reports correctly. [67.107.38.61]
responds with
| [61.32/27.38.107.67.in-addr.arpa] on a reverse lookup. The practice of
multiple
| domain names using the same IP address makes verifying the domain name by
| checking the PTR record virtually impossible, because a lot of
software does
| not check for more than 1 PTR record.
|
| Most ISPs won't delegate authority for a small number of IP addresses.
~From the
| looks of it, you have a 32 address block, which they should delegate,
although
| they may ask for a small fee.

These days;

as ISPs get tighter and tighter about handing out subnets, It is kinda
on them to make certain their address block holders are all handled
correctly.

A /27 should not only be RFC 2317 sub-delegated, but RFC 2167 SWIP'd as
well. Unless the upstream ISP is handling EVERYTHING for the subnet,
like personally handling the postmaster mail, the hostmaster records
etc, they SHOULD subdelegate the authority.

And this funny little bit of language:
"All ISPs receiving one or more distinct /16 CIDR blocks of IP addresses
from
ARIN will be responsible for maintaining all IN-ADDR.ARPA domain records
for
their respective customers."

Which I have always read as: "Okay, then YOU can change the in-addr.arpa
zone file whenever *I* feel like shifting a hostname, unless of course,
you go ahead and do the *RIGHT* thing (as the paragraph continues)

... ARIN can maintain IN-ADDRs through the use of the SWIP (Reallocate and
Reassign) templates or the Netmod template for /24 and shorter prefixes."

In short, ARIN policy pretty strongly implies that if you are an ISP,
you have two choices, either take care of your customers DNS needs, or
subdelegate.

As an ISP customer, you are already paying for this service. They are
welcome to <rude comment> their small fee.

There are large ISPs out there, that have multiple /21s assigned that
WILL NOT SWIP because they say their addresses are non-portable. Ummm,
well, duh. And these folks have been pointed at the rfcs and the ARIN
policys and yelled and screamed at and remain clueless.

I miss uu.net

Looking forward to NANOG/ARIN this year. Got some fun notes.

- --

| J.A. Coutts
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA9u0oa44x14FCa6ARAoStAJ9UNGzT4qrHwV7IstA9zrXg4WqglwCcD2AS
VqFhqDChlQq/8UEnHKqYT54=
=qFK3
-----END PGP SIGNATURE-----