[Mimedefang] OT: DNS sanity check
Les Mikesell
les at futuresource.com
Thu Jul 5 02:19:25 EDT 2007
John Nemeth wrote:
> All servers on the internet should have proper PTR records.
>
> The problem is that people can make PTR records say anything
> regardless of whether they have any right to use a domain.
The problem is that DNS naming authority is delegated separately for the
IP address and for domain names. Ideally the same person/group ends up
in control of both for the IP(s) and host(s) in question but it doesn't
always happen.
> This is
> forging or spoofing.
Or an artifact of different people supplying the network connection and
the host/domain registrations.
By default, sendmail will add a "may be forged"
> tag to the "Received: " header. However, some sites will quite simply
> reject the message, since they have no way of knowing if the server is
> who it claims to be.
>
> } what gets me is, is there actually any requirement that the A record and
> } the PTR record for a host match? i'm under the impression that they are
>
> A records and PTR records are inversely related. If they don't
> refer to the same host, then something is seriously wrong.
But this isn't a one-to-one relationship even when the same person
controls it all through the correct delegations. A single host/domain
name may have many A records with different IP addresses. And there may
be reasons to have other names for those same IP addresses.
Theoretically, that should be done with CNAMES, but it may not be
politically acceptable to allow nslookup to show one domain name is
mapped into another.
See
http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-04
for a current discussion of the problems involved and a flat-out
statement that "Applications should not rely on reverse mapping for
proper operation" and a recommendation against using reverse dns to
reject email in section 4.4.
> } unreasonably rejecting mail but I just want to get a sanity check before
>
> Dispite the silly bickering, the bottom line is that your DNS
> setup is seriously broken and receiving sites have every right to
> reject your mail because of it.
They have the right to reject addresses ending in .35 if they feel like
it. They just shouldn't claim that it is justified by a standards
requirement.
--
Les Mikesell
lesmikesell at gmail.com
More information about the MIMEDefang
mailing list