[AusNOG] PTR Records

David Beveridge dave at bevhost.com
Tue Nov 18 15:25:07 EST 2014 

On Tue, Nov 18, 2014 at 1:51 PM, Scott Howard <scott at doc.net.au> wrote:
> On Mon, Nov 17, 2014 at 6:16 PM, Aaron Wigley <aaron.wigley at rea-group.com>
> wrote:
>>
>> RFC 1912, under "2.1 Inconsistent, Missing, or Bad Data: Make sure your
>> PTR and A records match.
>> For every IP address, there should be a matching PTR record in the
>> in-addr.arpa domain."
>>
>>
>> So, if there is an A RR for mail.mycompany.com, there should be a PTR RR
>> pointing back to it.  This is commonly used for email spam detection
>>
>> (https://en.wikipedia.org/wiki/Anti-spam_techniques#PTR.2Freverse_DNS_check
>> s)
>
>
> No!  That is NOT what it says!!
>
> It says that for every IP address there should be a PTR. It does not say
> that for every A record there should be a PTR.
>
> You should be able to go  IP ---> Hostname (via PTR record) -> same IP. (via
> A record)
>

For SMTP the important thing is,
Lookup PTR for IP Address, get name,
Lookup Name, does it return same IP address? Does it also match HELO name?

For HTTPS,
lookup IP Address of Browser URL
connect to IP address,
negotiate SSL,
compare name announced in Cert to browser URL requested.

If a small business has SBS for example, and you want to use same cert
for IIS and Exchange you may find that there are many names configured
in the customers server DNS.
eg
server.example.local
server.example.com
remote.example.com
mail.example.com

If due to NAT you only have one IP address (and associated PTR) then
you want it to be one that makes sense for all of the services
offered. Otherwise you might get questions like "Why does remote web
workplace live on mail.example.com"

If you don't reduce this to a single name then you will need to buy a
certificate with multiple SAN (Subject Alternate Name) for it to work
with all the names, similar to the Multiple PTR record for the 1 IP
address problem.  Multi SAN SSL Certs do allow multiple web site names
on the 1 IP address but they do cost a lot more.

> Having multiple PTR records for a single IP address is completely legal, but
> has caused many problems over the years, especially with email/anti-spam.
>
>   Scott
>

More information about the AusNOG mailing list