[dns-operations] You live in a dump, Quoyle!
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 14 18:31:02 UTC 2022
On Mon, Feb 14, 2022 at 09:48:09AM -0800, Fred Morris wrote:
> They're full (the DNS is full) of patterns and antipatterns. One fractal
> rabbit hole example: [0]
>
> [0] The DNS protocol allows multiple rvalues per type per oname. This
> works ok for e.g. A/AAAA, is disallowed for CNAME, and is... I'm not sure
> what it is for PTR records.
Multiple PTR records are legal, but not a best (or even sound) practice.
> If an app is using hostnames in ACLs, it means you need to list them
> all.
SMTP servers in some cases require clients to have FCrDNS
(forward-canonicalised reverse DNS) names. This requires
the DNS to return:
client IP -> pick a PTR -> A/AAAA RRSet including same IP
this works even in the presence of multiple PTRs, provided they all
resolve to address lists that contain the input address.
Things tend to work poorly when automation adds a PTR record for
every forward "name -> IP" mapping with a given address. One
then sometimes ends up with absurdly large PTR RRsets that
consume tens of KB in a TCP fallback after TC=1.
Best practice is to choose just one "primary" name as the PTR
for a given IP.
--
Viktor.
More information about the dns-operations
mailing list