David Woodhouse wrote:
On Tue, 2004-04-06 at 15:17 -0400, Mark Jeftovic wrote:
I would expect ptr:opensrs.net to MATCH on 216.40.33.45, wouldn't
it?
It shouldn't, should it? Because opensrs.net has no A record containing
the IPv4 address 216.40.33.45.
That isn't what ptr: means. ptr means that a validated PTR record
(using the process you describe below -- and described in the spec)
merely ends with the argument. So opensrs.net or *.opensrs.net would
match. Note the only tricky aspect is that badopensrs.net should _not_
match. But that semantic definition of "ends with" is detailed in the
last paragraph of 4.6 too.
From the spec (4.6):
First the <sending-host>'s name is looked up using this procedure:
perform a PTR lookup against the <sending-host>'s IP. For each
record returned, validate the host name by looking up its IP address.
If the <sending-host>'s IP is among the returned IP addresses, then
that host name is validated. In pseudocode:
[code]
Check all validated hostnames to see if they end in the <target-name>
domain. If any do, this mechanism matches. If no validated hostname
can be found, or if none of the validated hostnames end in the
<target-name>, this mechanism fails to match.
[code]
This mechanism matches if the <target-name> is an ancestor of the
<sending-host>, or if the <target-name> and the <sending-host> are
the same. For example: "mail.example.com" is within the domain
"example.com", but "mail.bad-example.com" is not. If a validated
hostname is the <target-name>, a match results
_Anyone_ could set their own PTR records to whatever text they like, in
anyone else's domain. It's only trustworthy if there's a corresponding A
or AAAA record pointing back to the same IP address you started with.
--
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth