On Wed, Apr 07, 2004 at 06:41:54PM -0600, Doug Royer wrote:
The same problem is for static DSL or dial-up IP addresses. How much
effort will your ISP
put into verifying that your have the right to do a reverse push of
home.example.com ?
None in most cases. So the reverse DNS will not match the forward.
This is a problem of the ISP. This is not an unsolvable problem.
If your ISP doesn't manage revDNS records, get one that does. Problem
solved.
Co-hosted systems may use their own MTA and DNS. Or you DNS and their MTA,
or your MTA and their DNS, or some 3rd party MTA or DNS. There is no way
to control that. The reason people co-host is to co-locate, high
availability (UPS or
whatever) and they are using your IP addresses.
What do I care?
If they use our MTA there is no problem at all, as fwdDNS and revDNS
for mail.space.net match perfectly and I see no reason why they
shouldn't.
If they use their own DNS and their own MTA it's within their own
responsibility to have a correct setup. If they fsck up the A record
for their www entry it is also their problem not that of anyone else.
We do, and managing revDNS is no problem.
For co-hosting systems at your site that use their own MTAs? Are they
correct?
What do I care? The customers tell us what PTR record they want for
IP space owned by them and we add them or delegate the block so they can
manage it their own. If we add them we take care they are syntacitcally
correct, the semantics is up to the customer.
If you do not know if they are correct, then that is the same problem as
now which is they do not match.
Which is a problem of the customer. If he sends us wrong information
it's his problems if things don't work like he expects.
If they use a DNS server that is not yours,
you can not automatically check. They could drop host2.example.com and
replace it with mx2.example .com and you would never know. You would
just know that they sill used that IP.
It is not within the responsibility of the ISP to ensure that it is
correct if it is customer allocated IP space. But the ISP has to provide
the possibility for the customer to have the PTR records they want for
the IP space allocated to them.
And if they want to have mail.example.com they get it and example.com
may sue them if they don't like it.
Okay there is a tool. What if they do not use it?
It is their problem.
Are you going to allow
your
co-hosted systems to do a reverse DNS push for a domain they do not own?
Surely. It is their problem.
We don't check if they put A records to IP addresses they don't own also,
as we can't even check it.
How would you know if they did? When you are co-hosting systems you
may not know which domains they host or how many virtual systems they host.
What exactly is your problem?
The ISP is not the law. Just as registries don't (and haven't to) check
if a domain name is "legal" for the requestor, ISPs don't and can't
check if the contents of a A, MX or PTR record is "legal".
But IMHO ISPs have to set them if the customer that owns the domain or
netblock demands it.
When an MTA contacts your MTA - how do you know if it is using
a dynamic or static address? You can not, therefore it is not enforceable.
Not for all but for quite a lot ...
And the idea of the MTAMARK proposal is to provide even more
information.
And if ISP would name all their dynamic address space in revDNS starting
with dyn- it would even be more easy. But now users use DUL DNSBLs with
stale entries, really a big win.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"