reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc
Well, we have 2 computers in xxx.com subnet provided by ISP on 123.124.125.126 ipV4  address and corresponding IPV6 segment

mail.xxx.com :    2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344 for mail server
ns.xxx.com :  2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd for dns server

In xxx.com bind :

mail A 123.124.125.126
mail AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344

ns A 123.124.125.126
ns AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd

What should I put for IPV4 reverse address : if I put mail.xxx.com, the reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the reverse dns will not point on mail.xxx.com, and I shall have mail problem.

What are the best practices fore thus problem ?

Thanks
PC


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Mark Elkins
Put two reverse records in both  the IPv4 and IPv6 reverse zones....

in the "125.124.123.in-addr.arpa" zone:

126   IN   PTR   mail.xxx.com.
126   IN   PTR   ns.xxx.com.

and the same sort of thing in the reverse IPv6 zone. To calculate run:-
2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344
and see what question dig asks.

Nothing wrong with a machine (or interface on a machine) having more
than one name for the same address. List them all in the reverse
configuration. After all, a NS record usually has at least two records ;-)


On 18/06/2017 15:40, Pierre Couderc wrote:

> Well, we have 2 computers in xxx.com subnet provided by ISP on
> 123.124.125.126 ipV4  address and corresponding IPV6 segment
>
> mail.xxx.com :    2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344 for mail server
> ns.xxx.com :  2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd for dns server
>
> In xxx.com bind :
>
> mail A 123.124.125.126
> mail AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344
>
> ns A 123.124.125.126
> ns AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd
>
> What should I put for IPV4 reverse address : if I put mail.xxx.com,
> the reverse address will not point on ns.xxx.com, and if put
> ns.xxx.com, the reverse dns will not point on mail.xxx.com, and I
> shall have mail problem.
>
> What are the best practices fore thus problem ?
>
> Thanks
> PC
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Pierre Couderc
On 18.06.17 15:40, Pierre Couderc wrote:

>Well, we have 2 computers in xxx.com subnet provided by ISP on 123.124.125.126 ipV4  address and corresponding IPV6 segment
>
>mail.xxx.com :    2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344 for mail server
>ns.xxx.com :  2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd for dns server
>
>In xxx.com bind :
>
>mail A 123.124.125.126
>mail AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344
>
>ns A 123.124.125.126
>ns AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd
>
>What should I put for IPV4 reverse address : if I put mail.xxx.com, the reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the reverse dns will not point on mail.xxx.com, and I shall have mail problem.

you will not have mail problem. How did you come to this conclusion?
put there either one you want.

I would prefer mail.* but anything that does have valid A record pointing
back to 123.124.125.126 is fine.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Mark Elkins
On 18.06.17 16:26, Mark Elkins wrote:
>Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>
>in the "125.124.123.in-addr.arpa" zone:
>
>126   IN   PTR   mail.xxx.com.
>126   IN   PTR   ns.xxx.com.

while this is possible, it's not always a good idea.
One reverse record is enough in most cases you need reverse DNS.
(which mostly means, for outgoing mail)

>Nothing wrong with a machine (or interface on a machine) having more
>than one name for the same address. List them all in the reverse
>configuration. After all, a NS record usually has at least two records ;-)

there are cases when having two reverse records is misleading.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Reindl Harald


Am 18.06.2017 um 17:38 schrieb Matus UHLAR - fantomas:

> On 18.06.17 16:26, Mark Elkins wrote:
>> Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>>
>> in the "125.124.123.in-addr.arpa" zone:
>>
>> 126   IN   PTR   mail.xxx.com.
>> 126   IN   PTR   ns.xxx.com.
>
> while this is possible, it's not always a good idea.
> One reverse record is enough in most cases you need reverse DNS.
> (which mostly means, for outgoing mail)
>
>> Nothing wrong with a machine (or interface on a machine) having more
>> than one name for the same address. List them all in the reverse
>> configuration. After all, a NS record usually has at least two records
>> ;-)
>
> there are cases when having two reverse records is misleading

it's nearly always misleading and results in randomness on the receiving
server which name get logged and if A/PTR matches

normally you should always have:

* IP with *one* PTR
* the A-Record for the PTR matches
* smtp_helo_name of your MTA matches the same name

and if you have split DNS just make sure that "smtp_helo_name" matches
what the receiving server would get for a PTR lookup to your public IP
connecting to him - it's really easy to achieve


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc


On 06/19/2017 01:05 AM, Reindl Harald wrote:

>
>
> Am 18.06.2017 um 17:38 schrieb Matus UHLAR - fantomas:
>> On 18.06.17 16:26, Mark Elkins wrote:
>>> Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>>>
>>> in the "125.124.123.in-addr.arpa" zone:
>>>
>>> 126   IN   PTR   mail.xxx.com.
>>> 126   IN   PTR   ns.xxx.com.
>>
>> while this is possible, it's not always a good idea.
>> One reverse record is enough in most cases you need reverse DNS.
>> (which mostly means, for outgoing mail)
>>
>>> Nothing wrong with a machine (or interface on a machine) having more
>>> than one name for the same address. List them all in the reverse
>>> configuration. After all, a NS record usually has at least two
>>> records ;-)
>>
>> there are cases when having two reverse records is misleading
>
> it's nearly always misleading and results in randomness on the
> receiving server which name get logged and if A/PTR matches
>
> normally you should always have:
>
> * IP with *one* PTR
> * the A-Record for the PTR matches
> * smtp_helo_name of your MTA matches the same name
>
> and if you have split DNS just make sure that "smtp_helo_name" matches
> what the receiving server would get for a PTR lookup to your public IP
> connecting to him - it's really easy to achieve
>
Ok, thank you all, now I need to understand your answers...
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Reindl Harald
>>On 18.06.17 16:26, Mark Elkins wrote:
>>>Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>>>
>>>in the "125.124.123.in-addr.arpa" zone:
>>>
>>>126   IN   PTR   mail.xxx.com.
>>>126   IN   PTR   ns.xxx.com.

>Am 18.06.2017 um 17:38 schrieb Matus UHLAR - fantomas:
>>there are cases when having two reverse records is misleading

On 19.06.17 01:05, Reindl Harald wrote:
>it's nearly always misleading and results in randomness on the
>receiving server which name get logged and if A/PTR matches
>
>normally you should always have:
>
>* IP with *one* PTR
>* the A-Record for the PTR matches
>* smtp_helo_name of your MTA matches the same name

Even this is not required. In fact, requiring this breaks SMTP RFC.
The only requirement on helo name is that host must exist and be canonical,
which means it has to point to A or AAAA record.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Pierre Couderc
On 19.06.17 08:03, Pierre Couderc wrote:
>Ok, thank you all, now I need to understand your answers...

long story short:

>>>>in the "125.124.123.in-addr.arpa" zone:
>>>>
>>>>126   IN   PTR   mail.xxx.com.

quoting your original message:
> What should I put for IPV4 reverse address : if I put mail.xxx.com, the
> reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the
> reverse dns will not point on mail.xxx.com, and I shall have mail problem.

you will not have problem. who told you that?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc
In reply to this post by Reindl Harald
On 06/19/2017 01:05 AM, Reindl Harald wrote:

>
>
> Am 18.06.2017 um 17:38 schrieb Matus UHLAR - fantomas:
>> On 18.06.17 16:26, Mark Elkins wrote:
>>> Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>>>
>>> in the "125.124.123.in-addr.arpa" zone:
>>>
>>> 126   IN   PTR   mail.xxx.com.
>>> 126   IN   PTR   ns.xxx.com.
>>
>> while this is possible, it's not always a good idea.
>> One reverse record is enough in most cases you need reverse DNS.
>> (which mostly means, for outgoing mail)
>>
>>> Nothing wrong with a machine (or interface on a machine) having more
>>> than one name for the same address. List them all in the reverse
>>> configuration. After all, a NS record usually has at least two
>>> records ;-)
>>
>> there are cases when having two reverse records is misleading
>
> it's nearly always misleading and results in randomness on the
> receiving server which name get logged and if A/PTR matches
>
> normally you should always have:
>
> * IP with *one* PTR
> * the A-Record for the PTR matches
> * smtp_helo_name of your MTA matches the same name
>
This is clear in IPV4 but what about IPV6 ?



If I declare xxx.com bind :

mail A 123.124.125.126
mail AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:1122:3344

ns A 123.124.125.126
ns AAAA 2a01:e34:xxxx:xxxx:xxxx:xxxx:aabb:ccdd

What should I put for IPV4 reverse address : if I put mail.xxx.com, the
reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the
reverse dns will not point on mail.xxx.com, and I shall have mail problem.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc
In reply to this post by Matus UHLAR - fantomas
On 06/19/2017 08:51 AM, Matus UHLAR - fantomas wrote:

> On 19.06.17 08:03, Pierre Couderc wrote:
>> Ok, thank you all, now I need to understand your answers...
>
> long story short:
>
>>>>> in the "125.124.123.in-addr.arpa" zone:
>>>>>
>>>>> 126   IN   PTR   mail.xxx.com.
>
> quoting your original message:
>> What should I put for IPV4 reverse address : if I put mail.xxx.com, the
>> reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the
>> reverse dns will not point on mail.xxx.com, and I shall have mail
>> problem.
>
> you will not have problem. who told you that?
>
Thnk you, but your way of shortening the story ignores the IPV6. bind
and MTA are on différent computers, and different IPV6 addresses.
If I do what you say reverse IP for DNS will point on mail.xxx.com and
not on ns.xxx.com.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Mark Elkins
Another solution could be to make one of the names a CNAME pointing to
the other name.

-or-

Just use one generic name for both services. rather than the two
"service" names.


Although in all honesty, I see nothing wrong with a lookup returning two
answers (in a single response packet)  for the one reverse query. BIND
certainly is not confused. I guess it confuses people?
I've written various scripts to do various DNS checks and have always
made (programmed for) this assumption - that there may be more than one
answer and there may also be CNAMEs involved. If other software is
confused - then perhaps it is badly written?

Some people do though, I believe, go overboard...
(dig  -x 41.185.8.21)

On 19/06/2017 09:51, Pierre Couderc wrote:

> On 06/19/2017 08:51 AM, Matus UHLAR - fantomas wrote:
>> On 19.06.17 08:03, Pierre Couderc wrote:
>>> Ok, thank you all, now I need to understand your answers...
>>
>> long story short:
>>
>>>>>> in the "125.124.123.in-addr.arpa" zone:
>>>>>>
>>>>>> 126   IN   PTR   mail.xxx.com.
>>
>> quoting your original message:
>>> What should I put for IPV4 reverse address : if I put mail.xxx.com, the
>>> reverse address will not point on ns.xxx.com, and if put ns.xxx.com,
>>> the
>>> reverse dns will not point on mail.xxx.com, and I shall have mail
>>> problem.
>>
>> you will not have problem. who told you that?
>>
> Thnk you, but your way of shortening the story ignores the IPV6. bind
> and MTA are on différent computers, and different IPV6 addresses.
> If I do what you say reverse IP for DNS will point on mail.xxx.com and
> not on ns.xxx.com.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Pierre Couderc
>On 06/19/2017 08:51 AM, Matus UHLAR - fantomas wrote:
>>long story short:
>>
>>>>>>in the "125.124.123.in-addr.arpa" zone:
>>>>>>
>>>>>>126   IN   PTR   mail.xxx.com.
>>
>>quoting your original message:
>>>What should I put for IPV4 reverse address : if I put mail.xxx.com, the
>>>reverse address will not point on ns.xxx.com, and if put ns.xxx.com, the
>>>reverse dns will not point on mail.xxx.com, and I shall have mail
>>>problem.
>>
>>you will not have problem. who told you that?

On 19.06.17 09:51, Pierre Couderc wrote:
>Thnk you, but your way of shortening the story ignores the IPV6.

Yes, because the IPv6 is separate from IPv4 here. IPv6 is not a problem:
two different IPv6 addresses, two different AAAA records, one PTR for
"mail", and one PTR for "ns".

>If I do what you say reverse IP for DNS will point on mail.xxx.com
>and not on ns.xxx.com.

I have asked you twice:

WHO TOLD YOU THIS IS A PROBLEM? IT IS NOT!

There are only a few services on the net who currently use reverse DNS
records. SMTP is the most important. DNS servers do not check that.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
In reply to this post by Mark Elkins
On 19.06.17 10:27, Mark Elkins wrote:
>Another solution could be to make one of the names a CNAME pointing to
>the other name.

No.
This would create a real problem, since NS and mail have different AAAA
records.

>-or-
>
>Just use one generic name for both services. rather than the two
>"service" names.

impossible, since the info above (and in other threads - different servers.

>Although in all honesty, I see nothing wrong with a lookup returning two
>answers (in a single response packet)  for the one reverse query. BIND
>certainly is not confused. I guess it confuses people?

apparently yes, because this thread exists.
There's OP confused about a problem that does not exists.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc
In reply to this post by Mark Elkins


On 06/19/2017 10:27 AM, Mark Elkins wrote:

> Another solution could be to make one of the names a CNAME pointing to
> the other name.
>
> -or-
>
> Just use one generic name for both services. rather than the two
> "service" names.
>
>
> Although in all honesty, I see nothing wrong with a lookup returning two
> answers (in a single response packet)  for the one reverse query. BIND
> certainly is not confused. I guess it confuses people?
> I've written various scripts to do various DNS checks and have always
> made (programmed for) this assumption - that there may be more than one
> answer and there may also be CNAMEs involved. If other software is
> confused - then perhaps it is badly written?
>
> Some people do though, I believe, go overboard...
> (dig  -x 41.185.8.21)
>
Thank you, in  this case cname cannot be used, as IPV6 are different.
So, the point is does bind returns the 2 names in the same packet ?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Pierre Couderc
In reply to this post by Matus UHLAR - fantomas


On 06/19/2017 10:42 AM, Matus UHLAR - fantomas wrote:

>
>> If I do what you say reverse IP for DNS will point on mail.xxx.com
>> and not on ns.xxx.com.
>
> I have asked you twice:
>
> WHO TOLD YOU THIS IS A PROBLEM? IT IS NOT!
>
> There are only a few services on the net who currently use reverse DNS
> records. SMTP is the most important. DNS servers do not check that.
>
Thenk you, I had read that somewhere but I may have bad understood and
you answer me clearly. It is NOT a  problem. Thank you.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Reindl Harald
In reply to this post by Matus UHLAR - fantomas


Am 19.06.2017 um 08:49 schrieb Matus UHLAR - fantomas:

>>> On 18.06.17 16:26, Mark Elkins wrote:
>>>> Put two reverse records in both  the IPv4 and IPv6 reverse zones....
>>>>
>>>> in the "125.124.123.in-addr.arpa" zone:
>>>>
>>>> 126   IN   PTR   mail.xxx.com.
>>>> 126   IN   PTR   ns.xxx.com.
>
>> Am 18.06.2017 um 17:38 schrieb Matus UHLAR - fantomas:
>>> there are cases when having two reverse records is misleading
>
> On 19.06.17 01:05, Reindl Harald wrote:
>> it's nearly always misleading and results in randomness on the
>> receiving server which name get logged and if A/PTR matches
>>
>> normally you should always have:
>>
>> * IP with *one* PTR
>> * the A-Record for the PTR matches
>> * smtp_helo_name of your MTA matches the same name
>
> Even this is not required. In fact, requiring this breaks SMTP RFC.
> The only requirement on helo name is that host must exist and be canonical,
> which means it has to point to A or AAAA record

should != required
it's best practice

anyways, with 2 PTR records for the same IP on servers with
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 
you play lottery because one time it's logged as unknown and the other
time as matching, the unknown cases would trigger
reject_unknown_client_hostname

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

John Levine
In reply to this post by Pierre Couderc
In article <[hidden email]> you write:
>>* IP with *one* PTR
>>* the A-Record for the PTR matches
>>* smtp_helo_name of your MTA matches the same name
>
>Even this is not required. In fact, requiring this breaks SMTP RFC.
>The only requirement on helo name is that host must exist and be canonical,
>which means it has to point to A or AAAA record.

Regardless of what the RFC says, if an IP doesn't have matching
forward/backward DNS that is an extremely strong indication that it's
a random computer in a botnet and few people will accept mail from it.

As others have noted, it doesn't matter what the forward/backward name
is so long as at least one pair of A and PTR match.  You do want the
HELO name to resolve correctly, again, again non-resolving HELO is a
very strong indication of a bot.

Yes, we know the SMTP specs say otherwise but they haven't been
updated since bot spam became such a problem.

R's,
John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
>>On 19.06.17 01:05, Reindl Harald wrote:
>>>it's nearly always misleading and results in randomness on the
>>>receiving server which name get logged and if A/PTR matches
>>>
>>>normally you should always have:
>>>
>>>* IP with *one* PTR
>>>* the A-Record for the PTR matches

these two are correct.

>>>* smtp_helo_name of your MTA matches the same name

this one is incorrect and my next comment applies only to this one:

>Am 19.06.2017 um 08:49 schrieb Matus UHLAR - fantomas:
>>Even this is not required. In fact, requiring this breaks SMTP RFC.
>>The only requirement on helo name is that host must exist and be canonical,
>>which means it has to point to A or AAAA record

there's no requirement that the HELO string matches the same name as PTR
and A/AAAA

IP -> PTR -> A/AAAA must match

HELO does NOT have to match IP -> PTR record. It only has to be resolvable
to A/AAAA.

On 19.06.17 11:25, Reindl Harald wrote:
>should != required
>it's best practice
>
>anyways, with 2 PTR records for the same IP on servers with
>http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 
>you play lottery because one time it's logged as unknown and the
>other time as matching, the unknown cases would trigger
>reject_unknown_client_hostname

Actually, this would only happen when one of the A/AAAA records didn't exist.
Having two PTR records with valid A/AAAA would only confuse people because
they could see different one each time client connects, but doesn't break
anything (only dns-based acl's)

On 19.06.17 12:39, John Levine wrote:
>Regardless of what the RFC says, if an IP doesn't have matching
>forward/backward DNS that is an extremely strong indication that it's
>a random computer in a botnet and few people will accept mail from it.


>As others have noted, it doesn't matter what the forward/backward name
>is so long as at least one pair of A and PTR match.  You do want the
>HELO name to resolve correctly, again, again non-resolving HELO is a
>very strong indication of a bot.

which is the same I wrote above :)

>Yes, we know the SMTP specs say otherwise but they haven't been
>updated since bot spam became such a problem.

RFCs weren't update in last case above.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Reindl Harald


Am 19.06.2017 um 15:00 schrieb Matus UHLAR - fantomas:

>>> On 19.06.17 01:05, Reindl Harald wrote:
>>>> it's nearly always misleading and results in randomness on the
>>>> receiving server which name get logged and if A/PTR matches
>>>>
>>>> normally you should always have:
>>>>
>>>> * IP with *one* PTR
>>>> * the A-Record for the PTR matches
>
> these two are correct.
>
>>>> * smtp_helo_name of your MTA matches the same name
>
> this one is incorrect and my next comment applies only to this one:

does it harm? NO
is it easy to achive? YES
can it be used for scoring on a spamfilter? YES

>> anyways, with 2 PTR records for the same IP on servers with
>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 
>> you play lottery because one time it's logged as unknown and the other
>> time as matching, the unknown cases would trigger
>> reject_unknown_client_hostname
>
> Actually, this would only happen when one of the A/AAAA records didn't
> exist.
> Having two PTR records with valid A/AAAA would only confuse people because
> they could see different one each time client connects, but doesn't break
> anything (only dns-based acl's)

this NOT true for all cases

FRANKLY i have seen enough *real world* postfix rejects caused by
"check_reverse_client_hostname_access" because the idot on the other
side had "mail.example.com" AND the old
"my-provider-xx.xx.xx.xx-dyn.crap" PTR where one time
"check_reverse_client_hostname_access" was fine because it dealed with
the "mail.example.com" and the next mail was rejected by match
"my-provider-xx.xx.xx.xx-dyn.crap"

in all of these cases just remove the old useless generic PTR would have
solved the problem from the start

so please inform yourself and do tests.....
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas
>>>>>* smtp_helo_name of your MTA matches the same name
>>
>>this one is incorrect and my next comment applies only to this one:

On 19.06.17 15:14, Reindl Harald wrote:
>does it harm? NO
>is it easy to achive? YES
>can it be used for scoring on a spamfilter? YES

is it required? NO.

>>Actually, this would only happen when one of the A/AAAA records
>>didn't exist.
>>Having two PTR records with valid A/AAAA would only confuse people because
>>they could see different one each time client connects, but doesn't break
>>anything (only dns-based acl's)
>
>this NOT true for all cases
>
>FRANKLY i have seen enough *real world* postfix rejects caused by
>"check_reverse_client_hostname_access" because the idot on the other
>side had "mail.example.com" AND the old
>"my-provider-xx.xx.xx.xx-dyn.crap" PTR where one time
>"check_reverse_client_hostname_access" was fine because it dealed
>with the "mail.example.com" and the next mail was rejected by match
>"my-provider-xx.xx.xx.xx-dyn.crap"

those rejections were NOT caused by having two different PTRs.
They were caused by something different that is not a subject of this
thread - even one PTR of this format would cause rejections.

>in all of these cases just remove the old useless generic PTR would
>have solved the problem from the start
>
>so please inform yourself and do tests.....

go reread the OP's question. He asked about "ns" and "mail" records.
there's no need to comment something noone did propose.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
12