[ On Wednesday, December 31, 2003 at 08:20:04 (+0100), Kjetil Torgrim Homme wrote: ]
> Subject: Re: [Exim] Inbound Hosts without valid rDNS
>
> On Tue, 2003-12-30 at 21:16, Greg A. Woods wrote:
> > [ On Tuesday, December 30, 2003 at 10:08:44 (-0800), Jeff Lasman wrote: ]
> > > Subject: Re: [Exim] Inbound Hosts without valid rDNS
> > >
> > > > > I am not
> > > > > saying that the hostname of the server has to be this same DNS
> > > > > name. I'm only saying:
> > > > > 1.2.3.4 -> blah.dom
> > > > > blah.dom -> 1.2.3.4
> > > > >
> > > > > and the mail server could be using mail.someotherdomain.lan with ip
> > > > > 1.2.3.4
> > >
> > > This is NOT broken reverse DNS.
> >
> > Yes, actually, it is.
>
> there is too little information to tell.
True, there is too little information above to tell if the reverse DNS
in that example is broken.
However in the discussion leading up to this point it was reasonably
clear that in the example as originally given there was only one PTR in
place for that address, and thus as described the example demonstrates
"broken" (incomplete) reverse DNS quite clearly.
> frankly, I think using multiple PTR records just complicates matters,
Frankly I think you're missing out on a major feature of the design of
the reverse DNS, and indeed you're ignoring in part a fundamental
feature of the DNS as a whole. :-)
What's truly _complicated_ is incomplete (or incorrect, or invalid)
reverse DNS. When such a mess is encountered one cannot knowing whether
a name really "belongs to" and address, or vice versa.
If you're going to use multiple hostnames for a single address for some
bizzare (and likely unnecessary) reason, and if you're going to publish
any reverse DNS for that address at all, then you really, Really, REALLY
_should_ do your damndest to publish complete, correct, and of course
valid, PTRs giving each and every one of those hostnames. Not doing so
can only result, at best, in confusing everyone not familiar with your
internal insanity. Remember the _public_ DNS is your forum to publish
information showing how you want others to perceive what you make
visible of your hosts and your network. If you want them to perceive
that your network is a cluttered and poorly documented mess then by all
means you're free to "break" your reverse DNS (or leave it broken, as
the case may be).
Keep in mind though that there are both practical and theoretical limits
to the number of A and PTR records that can be given the same domain
name. The vast majority of DNS resolver implemenations in use today
only allow at most 35 A or PTR records in a given set, even if/when the
use of TCP for over-sized responses works 100% correctly (i.e. even when
some overly paranoid and utterly ignorant security officer hasn't
blocked TCP port 53 or some such similarly stupid thing). Even ignoring
implementation limits, the DNS protocol itself is defined to only allow
for a maximum "packet" (response in wire format) size of 65,534 bytes.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>