purpose of PTR record ?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Dec 2 23:14:32 UTC 2003
> On Mon, 01 Dec 2003 23:19:40 -0500, Andrew <andrew at arda.homeunix.net>
> wrote:
>
> >PTR records map IP addresses to names, thus doing the reverse of A records.
> >
> >One use of PTR records that is being used more and more nowadays is to
> >verify the identity of mail servers before mail is accepted from them. I
> >know of more than one ISP that will not accept inbound mail from any
> >host that does not have a PTR record.
> >
> >The degree of extra security this provides is debatable, but people are
> >doing it nonetheless.
> >
> >Andrew
>
> The RFC for mail servers requires a reverse record.
I suggest that you actually quote it if you can find it:-)
There is *no* RFC that mandates that a PTR record MUST exist
for anything or if they exist that the HELO/EHLO MUST match.
> As the authority
> for the PTR record resides with the ISP (owner of the IP address) and
> not the owner of the domain name this allows those of us that run mail
> servers to destinguish between a fully configured mail server and some
> muppet useing an SMTP engine to by-pass his ISP's mailserver to send
> SPAM from an ADSL connection in his bedroom. This assumes that the ISP
> does not set reverse records for it's dynamicly allocated IP address
> pool.
When the ISP hands out the address to the client they should
also be handing out authority to change the related IN-ADDR.ARPA,
IP6.ARPA records. This *is* how the Internet is designed to
work.
Just because the ISP hasn't done this does make them right.
If you want to be RFC compliant you won't reject any mail
based solely on the results of reverse lookups.
> NB Join any campain for revese MX records NOW. Reverse MX records are
> the obvious answer to SPAM as they would allow the owner of the IP
> address to state exactly what domains the IP address could send mail
> for, there by closing open relays.
I doubt if much spam is sent directly from dialup/adsl/cable
accounts these days. Most is being delivered by "owned"
machines (which maybe on adsl/cable). The rest is by
companies that have their own address space.
Reverse MX break the existing legitimate ability to send mail as
yourself from any machine on the Internet.
Mark
> >mark wrote:
> >
> >> forward records, like name A maps to IP address w.x.y.z pretty much
> >> solves the name resolution issue.
> >>
> >> what is the extra or special stuff that reverse PTR records are trying
> >> to achieve.
> >>
> >> is this true that one of the reasons for this may be:
> >> "for Chat and FTP servers it is useful to restrict access to hosts in
> >> certain zones"
> >> how is this restriction implemented ? (if the above is true)
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list