spf-discuss
[Top] [All Lists]

Re: Just how many of the boxen really *need* to be in the spf rr

2004-04-04 14:29:59
From: "Greg Hewgill" <greg(_at_)hewgill(_dot_)com>
This is a bit off topic, but I've seen multiple PTR records for one ip
address,
for example 64.251.192.200 has 245 different PTR records. I can't help
but think this is violating some established practice somewhere.


--Nico Kadel-Garcia <nkadel(_at_)merl(_dot_)com> wrote:
That's exactly the sort of whackiness I want to avoid. I've seen this done
in some weird ways, such as getting all SSH keys to do their reverse DNS
and come up with the same hostname with the same already-registered keys.
(Yes, this was an insane variant.) I'm extremely reluctant to add a
"reasonable" limitation that will break things in some border cases when
it's really not necessary.

And there are plenty of cases, such as dial-up modem pools and cable-modem
pools, where management of the forward and reverse DNS is quite disjoint
and may be unsynchronized for hours, depending on two different expiration
times. Add in the old Windows 24-hour timeout on cached DNS information
that drives web-hosting companies *insane* when relocating their services
dynamically, and asking for a matching reverse PTR quickly becomes
unreasonable.


Hi Nico,

I have forgotten some of the previous context a bit... enough so that I'm a bit confused about what you're saying. You seem to be saying "someone who has 245 PTR records for the same IP is doing something silly and this may not work all the time". Which I would agree with.

I think it's safe to say that there are some situations where the ptr: mechanism might not work for some people. If they have lots of PTR for the same IP, hopefully some of those match the desired hostname and can be forward-resolved to match the A record, but there may be some limitation in the SPF checker or in DNS (like, too many answers, fall back to TCP method, but TCP dns is blocked by firewall). And, you point out cases where the rDNS is managed by someone else and can be skewed from the forward DNS.

The most we can say in cases like this is, we hope that one of the other mechanisms will work better for those people. For example, if their netblock is smaller than /24, their ISP may not give them control over the DNS because it's a hassle for them to set up CNAMES and additional delegations... but maybe for a small block ip4: would work better anyway.

ptr: is great for larger installations where there are lots of IP ranges and they would rather trust their rDNS than list all ranges by number. One other factor also works in our favor: usually the "large number of PTR records" syndrome affects web servers and doesn't affect mail servers quite so much. But, it's something to watch out for. And I understand the point about dialup/dsl/small netblocks... it's probably a good reason for folks to use ptr: and ip4: together as a belt-and-suspenders approach.

gregc

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>