ietf-asrg
[Top] [All Lists]

Re: [Asrg] 7. BCP. Proposal... dynamic-address-specific rDNS

2004-05-15 10:54:06
On 2004-05-14 17:24:10 -0700, william(at)elan.net wrote:
Another option I played around with is here:
--------------
$ nslookup -query=ANY -silent 2.192.151.216.in-addr.arpa.

2.192.151.216.in-addr.arpa      name = unix.elan.net.
2.192.151.216.in-addr.arpa      text = "v=spf1 ptr -all"

Name:   2.192.151.216.in-addr.arpa
Address: 127.0.0.5
--------------

In this case TXT and A records are entered directly in addition to PTR to 
specific IN-ADDR record. The good thing about this is that it requires
no additional dns lookups since doing query on "ANY" record will provide
all of it and many mail servers already do lookup on PTR record of 
incoming ip address.

Unfortunately, no. ANY just means "any", not "all". If a DNS cache (at
least bind, but I suspect others work the same) receives a request of
type ANY, it will return the records it has in its cache, if there are
any, and only forward the query if there are no matching records. For
example:

$ dig -x 216.151.192.2
    ;; QUESTION SECTION:
    ;2.192.151.216.in-addr.arpa.    IN      PTR

    ;; ANSWER SECTION:
    2.192.151.216.in-addr.arpa. 86400 IN    PTR     unix.elan.net.

$ dig 2.192.151.216.in-addr.arpa. any
    ;; QUESTION SECTION:
    ;2.192.151.216.in-addr.arpa.    IN      ANY

    ;; ANSWER SECTION:
    2.192.151.216.in-addr.arpa. 86293 IN    PTR     unix.elan.net.

As you can see, only the PTR record is returned.

$ dig 2.192.151.216.in-addr.arpa. a  
    ;; QUESTION SECTION:
    ;2.192.151.216.in-addr.arpa.    IN      A

    ;; ANSWER SECTION:
    2.192.151.216.in-addr.arpa. 86400 IN    A       127.0.0.5

When we explicitely ask for the A record, we get it, and

$ dig 2.192.151.216.in-addr.arpa. any
    ;; QUESTION SECTION:
    ;2.192.151.216.in-addr.arpa.    IN      ANY

    ;; ANSWER SECTION:
    2.192.151.216.in-addr.arpa. 85960 IN    A       127.0.0.5
    2.192.151.216.in-addr.arpa. 85837 IN    PTR     unix.elan.net.

Now we have get both the A and the PTR (but still no TXT) record.

So to be safe you have to make absolutely sure that all clients of your
caching dns server make only ANY requests (pretty much impossible in the
general case) or explicitely query for any record type you need.

        hp

-- 
   _  | Peter J. Holzer    | I think we need two definitions:
|_|_) | Sysadmin WSR       | 1) The problem the *users* want us to solve
| |   | hjp(_at_)hjp(_dot_)at         | 2) The problem our solution addresses.
__/   | http://www.hjp.at/ |    -- Phillip Hallam-Baker on spam

Attachment: pgpAVqJ49faRx.pgp
Description: PGP signature