| Bill Jonas on Wed, 27 Feb 2002 01:40:55 -0500 |
|
On Tue, Feb 26, 2002 at 01:17:46AM -0500, Doug Crompton wrote: > No I meant if it failed sending to the primary address (A record) (after > MX lookup), due to reverse DNS error, would it go to the next MX, AND if > that MX was reverse DNS legal, send it to there. That MX site would then > send it to the first site that could not be reached. I see three separate implications arising from this line of question: 1.) Your garden-variety "I can't get to the primary MX"-style problem. In this case, the sending MTA would revert to a secondary MX server, of course. 2.) The forward DNS is wrong. In this case, the IP will be either that of an unreachable machine (in which case it would fall back to secondary), the specified machine will be reachable but have port 25 closed (ditto), or the machine will refuse to accept the mail (I'm not sure if standard behavior would indicate that a secondary should be tried or if it should be given up as the mail was refused by the primary). 3.) Mis-matched forward and reverse DNS. I'm really not sure how this would occur. The sending MTA would look up the MX record for the host/domain, get the name of the MX servers, then try sending the mail to that host. The resolver (in your standard system libraries) finds the IP address, opens the connection, and tells the program that requested the connection that the connection is now open. (Or alternatively, the calling program might get the IP address (with gethostbyname(3) or similar), then try to open the connection. My C-fu is not yet strong.) In any case, I'm not aware of any program that checks forward and reverse *while acting as a client*. (tcpwrappers, on the other hand (as therefore any program using libwrap), will do this if you say "PARANOID" in your hosts_access(5) files *while acting as a server*.) In any case, I would *assume* that if the sender decides to reject an MX server for whatever reason, it would continue down the MX record until it's exhausted the list of MX servers. I can think of no good reason why a sending MTA would refuse to send mail to, say, mail.crompton.com if its IP address' reverse DNS resolved to some weird customer-foo-623782834734.here.there.provider.net hostname. > I still do not understand how reverse DNS can match forward DNS on a > single static IP DSL connection. Multiple A records for a single IP are permitted by DNS, as well as multiple PTR records. > Assuming you were using many virtual domain names assigned to that > address (multiple A records in differnet zones to same address). Would > the provider register ALL of the domain names in CNAME reverse > records? PTR records, but yes. The entity who controls servers which are listed as authoritative for (to use the IP address for mail.crompton.com) 201.183.204.in-addr.arpa (which are ns[1-4].microserve.net) would need to make the appropriate entries. It's just like, say, you don't want to see any more doubleclick.net banner ads, so you run your own nameserver, tell it it's authoritative for that zone, and set all IP addresses in that zone to 127.0.0.2. It's what you see, but nobody else (except those who use your nameservers) can see your settings, since the root (which (nearly) everyone looks to) considers different servers to be authoritative. > The owning party has to register reverse records right? and no one > owns a single IP address by itself. Technically, no one "owns" *any* IP addresses, at least, not with IPv4. ;-) It's feasible that your provider could tell their nameservers that your servers are authoritative for 225.201.183.204.in-addr.arpa, in which case, requests would get forwarded to you. In practice, this doesn't really happen unless you are a big customer. *If* they did, though, you could set up as many PTR records as you like. Shoot, I don't suppose it would hurt to ask, but be prepared to hear, "No, we don't do that. Tell us what you want and we'll do it for you." Authority for reverse DNS is handled just like authority for forward DNS. When you look up a forward mapping, you start at ".", then ask it who's responsible for com., then you ask that one who's authoritative for crompton.com., etc. With reverse DNS, the IP address is reversed and ".in-addr.arpa" is appended. (This is because DNS is a hierarchial structure going from least-specific on the right to most-specific on the left. Authority for IP address blocks works the opposite way, with least-specific on the left to most-specific on the right. in-addr.arpa is simply the standard domain for reverse DNS.) First you find out who's authoritative for ., then arpa., then in-addr.arpa., etc, continuing down the list. Just like you could, if you wanted to, make me authoritative for jonas.crompton.com (or I could make you authoritative for crompton.billjonas.com), your provider could make you authoritative for your single IP address if they choose to. (Incidentally, the root servers are responsible for in-addr.arpa and hand off authority to ARIN, RIPE, and the others, who then distribute authority based on who they've assigned the netblocks to.) All that said, however, I can't think of any standard software that would refuse to send mail to you because mail.crompton.com resolves to 204.183.201.225 and 204.183.201.225 doesn't have a reverse mapping. And I can't imagine that *if* it did, that it wouldn't continue down the list of MX servers in priority order. -- Bill Jonas * bill@billjonas.com * http://www.billjonas.com/ Developer/SysAdmin for hire! See http://www.billjonas.com/resume.html Attachment:
pgpNwHuno30GX.pgp
|
|