From: paddy [mailto:paddy(_at_)panici(_dot_)net]
Sent: Wednesday, September 07, 2005 4:12 AM
<...>
Obviously I have little experience to go on, but if I control a static ip
address I want a PTR, even if in the worst case it wasn't one that I chose
(not that it's ever come to that).
So does everyone, but that is simply not available in many places. This is
particularly true in countries without a well-developed internet
infrastructure, but it is also widely true in the U.S. if you don't live in
a large city. Within the U.S., if you own a class C netblock or larger, you
can generally expect control of the reverse DNS. For less than a class C,
even though there is an RFC specifically showing netblock owners how to
delegate small blocks to the customer, most are either unwilling to do this
or ignorant of the methods.
I realise that parts of the rDNS network are apparently broken,
and I suppose there must be providers who are just plain
uncooperative, and I realise that sometimes there is simply not
a choice of provider.
It's not that the rDNS network is broken, it's that netblock owners are
often unwilling/unable to deal with their customers' legitimate requests to
set up proper reverse DNS. Since in many areas local connectivity is a
monopoly, you often have no choice and therefore no ability to control your
rDNS. Your only other options are to buy dedicated lines for connectivity
or co-locate a server in a remote data center. Both of these are
financially out of reach for many networks.
Is there something about the scenario you describe that naturally leads to
the A record owner not having PTR control, or is it more this kind of
broken system/unfriendly provider issue ?
It is inherent in the system design. The A record goes with the domain
name. When you register a domain, you get control of the forward DNS for
that domain. This includes all the subdomains you declare, the addresses of
your nameservers, the addresses of all MX's, the addresses for any
individual hosts that you wish to publish, aliases for names within your
domain and of course TXT records, which allows you to publish SPF policy.
You have your choice of registrars all over the world for domain names, no
matter where your network physically resides. It is very competitive so
most registrars have adequate forward DNS support.
OTOH, the reverse DNS is controlled by whoever owns the netblock, which is
normally not the domain owner for small networks. The netblocks are owned
by local connectivity providers, and that is far less competitive. In many
areas, there is only one connectivity provider. If the provider is both
technically competent and willing to satisfy their customers' needs, they
can delegate the reverse DNS for your range of IP's over to you. That is
the experience you described, where controlling the reverse DNS is as easy
as the forward DNS. After all, it is just a zone file. Another workable
option is for the provider to retain control of the reverse DNS but to set
the zone file per your request. However, most providers simply don't
provide either option to customers, particularly for address ranges smaller
than a class C.
The root problem that drives this is who owns the "last mile" of wiring to
the network premises. Unless you have your own T1 or other dedicated data
line from a company that you selected and brought in the line for you (at
your expense), small networks generally have to get connectivity via DSL
over local telephone lines or via cable modem from the local cable network.
There is often a local monopoly for both of these in a given geographic
area.
Are you perhaps talking about the kind of asymetric setup where I have a
domain delegated directly to me and I (perhaps even) host the A records,
so I 'directly' control those, but I have to ask my provider to
change the PTR for me (and thus don't have 'direct' control) ?
Exactly. They must either change it for you or delegate the rights to
change it over to you.
--
Seth Goodman
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com