purpose of PTR record ?

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Dec 2 23:14:32 UTC 2003


> On Mon, 01 Dec 2003 23:19:40 -0500, Andrew <andrew at arda.homeunix.net>
> wrote:
> 
> >PTR records map IP addresses to names, thus doing the reverse of A records.
> >
> >One use of PTR records that is being used more and more nowadays is to 
> >verify the identity of mail servers before mail is accepted from them. I 
> >know of more than one ISP that will not accept inbound mail from any 
> >host that does not have a PTR record.
> >
> >The degree of extra security this provides is debatable, but people are 
> >doing it nonetheless.
> >
> >Andrew
> 
> The RFC for mail servers requires a reverse record.

	I suggest that you actually quote it if you can find it:-)

	There is *no* RFC that mandates that a PTR record MUST exist
	for anything or if they exist that the HELO/EHLO MUST match.

> As the authority
> for the PTR record resides with the ISP (owner of the IP address) and
> not the owner of the domain name this allows those of us that run mail
> servers to destinguish between a fully configured mail server and some
> muppet useing an SMTP engine to by-pass his ISP's mailserver to send
> SPAM from an ADSL connection in his bedroom. This assumes that the ISP
> does not set reverse records for it's dynamicly allocated IP address
> pool.

	When the ISP hands out the address to the client they should
	also be handing out authority to change the related IN-ADDR.ARPA,
	IP6.ARPA records.  This *is* how the Internet is designed to
	work.

	Just because the ISP hasn't done this does make them right.

	If you want to be RFC compliant you won't reject any mail
	based solely on the results of reverse lookups.
 
> NB Join any campain for revese MX records NOW. Reverse MX records are
> the obvious answer to SPAM as they would allow the owner of the IP
> address to state exactly what domains the IP address could send mail
> for, there  by closing open relays.

	I doubt if much spam is sent directly from dialup/adsl/cable
	accounts these days.  Most is being delivered by "owned"
	machines (which maybe on adsl/cable).  The rest is by
	companies that have their own address space.
 
	Reverse MX break the existing legitimate ability to send mail as
	yourself from any machine on the Internet.

	Mark

> >mark wrote:
> >
> >> forward records, like name A maps to IP address w.x.y.z pretty much
> >> solves the name resolution issue.
> >> 
> >> what is the extra or special stuff that reverse PTR records are trying
> >> to achieve.
> >> 
> >> is this true that one of the reasons for this may be:
> >> "for Chat and FTP servers it is useful to restrict access to hosts in
> >> certain zones"
> >> how is this restriction implemented ? (if the above is true)
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list