[dns-operations] Trustworthiness of PTR record targets

George Michaelson ggm at apnic.net
Tue Mar 4 10:28:18 UTC 2014


PTR records can exist in any zone. They matter when they lie under
in-addr.arpa and ip6.arpa because gethostbyaddr() roots queries in that
name path. But, lets be clear, you can jam a PTR into any place you like.
its just an RR.

under .ARPA, The zones which administer PTR records are strongly aligned by
dot-breaks in IPv4 and IPv6 to octet and nibble boundaries. the actual
zone-cut point varies, but they have a strong alignment which is
neccessarily constrained to the octet/nibble boundaries. IN Ipv4 its /8
aligned, in IPv6 its a mix of older /24 and /12 delegations to the RIR.

For those levels delegated by IANA to the RIR, the boundaries are well
understood and the DNSSEC signatures over the delegations understood.

If you go one level lower, the dot enforced boundaries vest into the
address holder, and again, DNSSEC could make a strong trust over that
binding. /16 and /24 delegations are put directly into each /8 zonefile,
but no /24 should be there, if the parent /16 exists. And likewise in IPv6.
We (the RIR) try very hard not to admit delegations which 'reach over' the
holder at a higher level.

But once you get deeper, we've lost a sense of public review and public
administration: its a single locus of control inside an address holding
entity, and how accurately they track the specific PTR binding is unclear,
and unspecified. There is no control. A bad actor can say that any given IP
address binds to any name. Its not constrained.


On Tue, Mar 4, 2014 at 10:20 AM, Jim Reid <jim at rfc1035.com> wrote:

> On 3 Mar 2014, at 17:26, Stephen Malone <Stephen.Malone at microsoft.com>
> wrote:
>
> > 1.       In general, can I trust PTR records? Is ownership of the target
> domain validated at setup time by ISPs, and if yes, how is this done?
>
> Define what you mean by "trust" and "validate". For bonus points, define
> "ownership".
>
> > 2.       If ownership of PTR targets is not routinely validated, is
> there a risk that the target domain could be blacklisted by anti-spam
> providers?
>
> Again, please define "validate".
>
> AFAICT organisations like Spamhaus don't care about PTR records at all.
> Addresses get blacklisted because they send spam or are open mail relays or
> are known to be in prefixes used for residential customers or.... Whatever
> names may be associated with those addresses are unlikely to matter,
> regardless of what validation is done or not done.
>
> If you want to know what anti-spam organisations do with PTR records, I
> suggest you ask them directly.
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140304/f7cc5da7/attachment.html>


More information about the dns-operations mailing list