A bit offtopic but...
On 1 Apr 2004 at 12:18, Nico Kadel-Garcia wrote:
In theory, an SPF client should verify this with a forward lookup. If you
have ptr in the SPF record for example.com, and someone tries to send mail
to you from an IP address that claims to be host.example.com, the client
should then look up host.example.com to see if it matches.
PTR does not have to match the primary A record.
There is no such thing as a "primary A record".
For example, I may refer to my domain as www.merl.com, ftp.merl.com,
and "virtualhost.merl.com" with duplicate A records. My PTR can point
to only one of those. How do you resolve this?
But your PTR will point to one of THOSE hostnames, and not to a random
other hostname.
forward:
www.merl.com 137.203.190.5
ftp.merl.com 137.203.190.5
shadow.merl.com 137.203.190.5
virtualhost.merl.com 137.203.190.5
reverse (just one possible):
137.203.190.5 shadow.merl.com
So someone who controls the reverse DNS for 192.168.0/24 sets up a
record:
192.168.0.10 shadow.merl.com
and tries to connect to a server that checks PTR records will fail, since
shadow.merl.com resolves to 137.203.190.5. The PTR check should check if
the IP is in the list of IN-A records for the hostname it claims to be.
And when someone makes a mistake in matching PTR to A records, you have to
deal with that robustly.
Also, I believe that misusing PTR records to point to someone else's domain
host is something that the DNS top-level registrars will frown on and act on
quickly, unlike their classically reluctant response to spammer's faked
registration information.
I guess pointing a PTR to someone else's domain fails most of already
established tests, as far as this other domain doesn't have an A record
pointing to this specific IP. This is a standard way to check PTR-
records.
--
Ernesto Baschny <ernst(_at_)baschny(_dot_)de>
http://www.baschny.de - PGP: http://www.baschny.de/pgp.txt
Sao Paulo/Brasil - Stuttgart/Germany
Ernst(_at_)IRCnet - ICQ# 2955403