[dns-operations] Trustworthiness of PTR record targets

Doug Barton dougb at dougbarton.us
Tue Mar 4 23:33:41 UTC 2014

On 03/04/2014 11:58 AM, Paul Vixie wrote:
> Doug Barton wrote:
>> ... However, in general:
>> 1. Anyone can put anything in a PTR record. There is no safe
>> assumption that the content is accurate.
> s/anyone/the owner of the netblock/

Well, if you're really going to get that specific, it's "The operator of 
the name server(s) to which the specific reverse zone in question is 
delegated" which may or may not be the same thing. But seriously folks, 
I thought that went without saying. :)

>> 2. In my experience (which is not thorough, but also not zero)
>> anti-spam folks are completely uninterested in what's in the PTR, and
>> generally do not do any blacklisting by domain name in the sense you
>> seem to mean.
> this is just wrong. many of us use PTR patterns to decide whether to
> ignore the PTR because it was machine-generated, and/or treat it as
> "dynamic" or "dialup".

I've already addressed this in a previous response, but I think you're 
answering something that the OP didn't ask. (Or, I misunderstood the 
OP's question, which is entirely possible.)

I took the OP's question to be, "If example.com is listed in a PTR 
returned by a lookup for an address that sent spam, will organizations 
like SpamHaus use that as evidence to blacklist example.com?" If that is 
actually the question, I am pretty sure the answer is no, they won't.

> several anti-spam initiatives use PTR content to
> populate blackhole lists or other rejection filters. because of the
> practice of rejecting some connections if there is no PTR, it is now
> common practice to create low-information-content (low-value) PTR's
> which are themselves a signal of likely wrongdoing.

Of course, but what you're referring to is the practice of checking 
whether the PTR matches the forward for a given address and using that 
as input into the reputation process (as Jothan referred to in an 
earlier message). Again, I don't _think_ that's what the OP is asking.

What I tried to suggest, ever so humbly, in my original response was 
that we're all just wasting our time here guessing (and/or ignoring) 
what the OP actually wanted to know. Maybe it would be worthwhile to put 
a hold on the thread until he responds?


More information about the dns-operations mailing list