On Sat, 2004-07-17 at 13:31, Andriy G. Tereshchenko wrote:
This is no problem i think, if you do a PTR lookup for the ip, take the
first
resonse and do an A lookup on that, you still get the original ip back,
don't you? So no problem there. If you do get another IP, something is
wrong with the dns setup, right?
What is reason to do PTR lookups in SPF ?
What benefits it provide to us ? We no longer use rlogin, rsh-like auth with
/etc/hosts.equiv and .rhosts
I use a ptr mechanism in the SPF record for my own domain because that's
the simplest and easiest way of expressing my policy.
I would not use it if there was no requirement for the forward lookup of
the PTR record to resolve back to the original IP address, since that
would make spoofing far too easy (and is what leads to sendmail's "may
be forged" diagnostic in Received: headers it adds for connections from
such IPs).
I would also not use it in the case where I didn't have my mail server's
reverse DNS set up to point to a hostname in my own domain.
So for all those people that have ISP-generated generic rDNS, broken
rDNS that doesn't resolve at all, undelegated rDNS, multiple PTR records
pointing to names with multiple A records (why!?), the answer is simple:
don't use the ptr mechanism in your own SPF records. But please leave it
in for those of that are able to use it!
Paul.
--
Paul Howarth <paul(_at_)city-fan(_dot_)org>