lists.isc.org rDNS failed, DNSSEC?
Mark Andrews
marka at isc.org
Thu Mar 1 04:56:31 UTC 2012
In message <1330508848.24108.140661042811441 at webmail.messagingengine.com>, nudge
writes:
> A thought regarding the pros and cons of DNSSEC that I don't recall
> being mentioned.
There are a whole set of things you can do once you have secure
DNS. You just have to use your imagination. This one has always
been blindling obvious.
> Was reverse-dns verification introduced in response to a lack of
> confidence in forward-dns? This can cause much frustration, especially
> in smaller environments. If the implementation of DNSSEC allowed us to
> avoid using reverse-dns then perhaps that could be beneficial to many.
Not accepting SMTP from machines without a reverse DNS entry has
nothing to do with the security of the DNS (forward or reverse).
It had (past tense) to do with a strong correlation between compromised
machines spewing out spam and lack of reverse DNS entries. If you
actually read the RFCs they say "do NOT do this check". If you are
sane you only use it as one input into deciding if email is spam.
The lack of a PTR record, by itself, shouldn't be enough to get a
piece of email rejected though I do know lots of sites do it.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list