Reverse address entries

Novosielski, Ryan novosirj at ca.rutgers.edu
Fri Jul 12 15:39:07 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/12/2013 11:23 AM, Sam Wilson wrote:
> In article
> <mailman.736.1372773195.20661.bind-users at lists.isc.org>, Steven
> Carr <sjcarr at gmail.com> wrote:
> 
>> On 2 July 2013 14:42, Sam Wilson <Sam.Wilson at ed.ac.uk> wrote:
>>> Can anyone here give examples of the types of various software
>>> that will not operate without a PTR record?
>> 
>> There have already been numerous listings of software that
>> require reverse lookups. SMTP being the main one. Other services
>> like IRC and some databases (Oracle/MySQL) can also be configured
>> to require properly working reverse lookups.
> 
> "... can also be configured ..." - see below.
> 
>>> I agree that if PTR records exist then they should match an A
>>> record. My experience (and IIRC correctly the word of several
>>> RFCs) is that PTRs are not required for most things to work.
>> 
>> RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1...
>> 
>> Every Internet-reachable host should have a name... Make sure
>> your PTR and A records match.  For every IP address, there should
>> be a matching PTR record in the in-addr.arpa domain.  If a host
>> is multi-homed, (more than one IP address) make sure that all IP
>> addresses have a corresponding PTR record (not just the first
>> one). Failure to have matching PTR and A records can cause loss
>> of Internet services similar to not being registered in the DNS
>> at all.  Also, PTR records must point back to a valid A record,
>> not a alias defined by a CNAME.
> 
> Sorry for the delay in returning to this.  RFC 1912 says:
> 
> Status of this Memo
> 
> This memo provides information for the Internet community.  This
> memo does not specify an Internet standard of any kind. ...
> 
> To make myself clear, I'm a big fan of correct PTR records and we
> try to make sure that our reverse DNS is fully populated.  I do not
> regard lack of a valid PTR record to be a reason to refuse
> connection except, perhaps, in very particular circumstances, for
> instance where it might be part of a trust stance.  That would be
> by agreement between consenting adults, not the law of Internetland
> in general.

Came across another instance where it may matter: TCP Wrappers.
Although the case there was a bit more peculiar -- rr.net does not
appear to have FORWARD DNS for at least some of its dynamic address
space. So you can get a PTR, and then address validation fails on the
forward address. I guess perhaps if you had no PTR it would never go
that far.

- -- 
 ____*Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
 || \\UTGERS      |---------------------*O*---------------------
 ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer
 || \\ and Health | novosirj at rutgers.edu - 973/972.0922 (2x0922)
 ||  \\  Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark
      `'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHgIxoACgkQmb+gadEcsb4E7ACgzTQeo6E2lLrzu5ld7DhWWYq8
9VAAoKpte8yzfY/aXQIEsvlOLDfKv7qz
=Dk3L
-----END PGP SIGNATURE-----

More information about the bind-users mailing list