On Tue, 2003-12-30 at 21:16, Greg A. Woods wrote:
> [ On Tuesday, December 30, 2003 at 10:08:44 (-0800), Jeff Lasman wrote: ]
> > Subject: Re: [Exim] Inbound Hosts without valid rDNS
> >
> > > > I am not
> > > > saying that the hostname of the server has to be this same DNS
> > > > name. I'm only saying:
> > > > 1.2.3.4 -> blah.dom
> > > > blah.dom -> 1.2.3.4
> > > >
> > > > and the mail server could be using mail.someotherdomain.lan with ip
> > > > 1.2.3.4
> >
> > This is NOT broken reverse DNS.
>
> Yes, actually, it is.
there is too little information to tell. let's assume:
$ORIGIN dom.
@ MX 10 mail.someotherdomain.lan.
blah A 1.2.3.4
$ORIGIN in-addr.arpa.
4.3.2.1 PTR blah.dom.
I also assume that lan is a domain known by the root DNS servers. now,
there are two ways of setting up the rest. this is correct:
mail.someotherdomain.lan. A 1.2.3.4
this is incorrect:
mail.someotherdomain.lan. CNAME blah.dom
the reason for that is: an MX can not point to a CNAME.
in order to verify that a hostname and an IP address match, you need to
do reverse lookup on the IP, do forward lookup on the name from that
reverse lookup. then you need to do forward lookup of the hostname.
either of those forward lookups may return more than one address. if
the intersection of the two address lists is non-empty, you have a
match.
frankly, I think using multiple PTR records just complicates matters,
but feel free to use them if you like.
> (SSL is about the only protocol that needs a unique IP per server,
> and even the requirement for it will eventually disappear)
using subjectAltNames, an X.509 extension, you don't need one IP per
name (but you still need one IP per certificate). unfortunately,
VeriSign or Thawte won't sign certificates with that extension. anyone
know of a CA which does?
--
Kjetil T.
