[dns-operations] Trustworthiness of PTR record targets

Peter Koch pk at DENIC.DE
Tue Mar 4 11:24:13 UTC 2014


On Mon, Mar 03, 2014 at 05:26:54PM +0000, Stephen Malone wrote:

> 1.       In general, can I trust PTR records? Is ownership of the target domain validated at setup time by ISPs, and if yes, how is this done?

the presence and content of a PTR RR is solely controlled by who ever
controls the content of teh DNS reverse mapping zone (assuming we're
talking about PTR use for mapping v4 or v6 addresses to some hostname).
That may or may not be an ISP, enterprise, end user.
The DNS itself does not provide a consistency check, therefore the PTR
RR may point anywhere, including non existing names and in no way
you can assume that the name pointed to as an A or AAAA RR attached
to it that would refer to the "address" you started at.

> 2.       If ownership of PTR targets is not routinely validated, is there a risk that the target domain could be blacklisted by anti-spam providers?

Since "anti-spam provider" is not a vetted denomination, and one way or another
some of "them" have done interesting things in the past, there's always a risk.
If you mean that the target of the PTR RR (or, more precisely, the organisation
in control of the target name), runs at risk for being shunned just for the presence
of their name in a PTR RR - you never know.

One practice is to treat the PTR RR as an indication and then do a cross check.
That fails often enough in otherwise benign situations, so the failure case
is again only remotely indicative of trouble.  You'll find people who violently
oppose the "use" of DNS reverse mapping as well as advocates in the other direction -
to the extent that last time we tried to distill guidance into an RFC in the IETF, we
failed miserably.

DNSSEC does in NO way change that game, btw.

-Peter



More information about the dns-operations mailing list