Multiple PTRs for the same IP
Mark Andrews
Mark_Andrews at isc.org
Fri Jan 26 23:25:22 UTC 2007
> Hello All,
>
> I'm trying to find something "official" that states, or explains, why multip
> le
> PTRs for the same IP are not a very good idea.
They are not a good idea because they don't scale. In the
past large web hosters attempted to put a PTR record for
every virtual site on their servers. This ends up exceeding
the limits of normal query resolution support. You get
truncated TCP responses. You have to resort to AXFR to
retrieve the PTR records.
The DNS does not impose a order on returned records. If you
have multiple PTR records and you are trying to do access
control by name the application has to either list all the
names (if it looks at h_name) or try all the aliases. Not
all lookup mechanism supply all the names which inturn
leads to maintenance issues on the access lists.
Think of PTR records in the reverse tree as returning the
canonical name of the machine. Usually this would be the
name the machine knows itself as (fully qualified). If you
do this you won't break the API's for returning the name of
the machine based on the address.
> Let me explain what I am talking about, and where I am hoping to go with it.
>
> In previous discussions on this topic, folks have mentioned things like:
> - most utilities will only use the first PTR returned in a query. So, why h
> ave
> many?
> - many PTRs may require TCP, rather than UDP, query traffic. This may cause
> issues if UDP is expected/enforced (or why initiate unnecessary overhead)
> - many PTRs may cause confusion when doing an rDNS check on a hostname (eg.
> they may not necessarily match in a round-robin scenario with multiple PTRs
> --
> counter productive?)
>
> My google searches find similar blogs that agree that multiple PTRs are a ba
> d
> idea.
> One blog even says it is a "violation" to do so, but without reference to
> back this claim.
>
> Another tool says that while more than one PTR record for an IP is "legal",
> but
> it suggests to use only on PTR record for reasons pointed out above.
>
> While all of the above is excellent feedback from DNS gurus, I have been una
> ble
> to find anything "official" to refer an upper management audience to on this
> topic.
>
> Does anyone know of an RFC that discusses this (hopefully, in our favor that
> multiple PTRs for the same IP is not a good thing).
> Some other similar reputable source, perhaps, I can reference?
>
> TIA -- Chris
>
> PS
> I hope not to offend anyone for the feedback on this topic thus far.
> That is not my intent.
> I am looking for something to support policy. We all know that game, right?
> I hope that is understood.
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list