[dns-operations] Trustworthiness of PTR record targets
Paul Vixie
paul at redbarn.org
Tue Mar 4 19:58:57 UTC 2014
Doug Barton wrote:
> ... However, in general:
>
> 1. Anyone can put anything in a PTR record. There is no safe
> assumption that the content is accurate.
s/anyone/the owner of the netblock/
implication: you can trust that an IN-ADDR.ARPA or IP6.ARPA PTR reflects
the will of the netblock owner, though "trust" is a continuum not an
absolute -- you'd be unwise to trust large sums of money to a DNS
assertion unless it's also covered by valid DNSSEC signatures.
> 2. In my experience (which is not thorough, but also not zero)
> anti-spam folks are completely uninterested in what's in the PTR, and
> generally do not do any blacklisting by domain name in the sense you
> seem to mean.
this is just wrong. many of us use PTR patterns to decide whether to
ignore the PTR because it was machine-generated, and/or treat it as
"dynamic" or "dialup". several anti-spam initiatives use PTR content to
populate blackhole lists or other rejection filters. because of the
practice of rejecting some connections if there is no PTR, it is now
common practice to create low-information-content (low-value) PTR's
which are themselves a signal of likely wrongdoing.
vixie
More information about the dns-operations
mailing list