[Mimedefang] OT: DNS sanity check

Les Mikesell les at futuresource.com
Thu Jul 5 02:19:25 EDT 2007 

John Nemeth wrote:

>      All servers on the internet should have proper PTR records.
> 
>      The problem is that people can make PTR records say anything
> regardless of whether they have any right to use a domain.

The problem is that DNS naming authority is delegated separately for the 
IP address and for domain names.  Ideally the same person/group ends up 
in control of both for the IP(s) and host(s) in question but it doesn't 
always happen.

> This is
> forging or spoofing.

Or an artifact of different people supplying the network connection and 
the host/domain registrations.

   By default, sendmail will add a "may be forged"
> tag to the "Received: " header.  However, some sites will quite simply
> reject the message, since they have no way of knowing if the server is
> who it claims to be.
> 
> } what gets me is, is there actually any requirement that the A record and
> } the PTR record for a host match? i'm under the impression that they are
> 
>      A records and PTR records are inversely related.  If they don't
> refer to the same host, then something is seriously wrong.

But this isn't a one-to-one relationship even when the same person 
controls it all through the correct delegations.  A single host/domain 
name may have many A records with different IP addresses.  And there may 
be reasons to have other names for those same IP addresses. 
Theoretically, that should be done with CNAMES, but it may not be 
politically acceptable to allow nslookup to show one domain name is 
mapped into another.

See 
http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-04 
for a current discussion of the problems involved and a flat-out 
statement that "Applications should not rely on reverse mapping for 
proper operation" and a recommendation against using reverse dns to 
reject email in section 4.4.


> } unreasonably rejecting mail but I just want to get a sanity check before
> 
>       Dispite the silly bickering, the bottom line is that your DNS
> setup is seriously broken and receiving sites have every right to
> reject your mail because of it.

They have the right to reject addresses ending in .35 if they feel like 
it.  They just shouldn't claim that it is justified by a standards 
requirement.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the MIMEDefang mailing list