netbsd-users: Re: INEXPENSIVE way to get reverse DNS records

Subject: Re: INEXPENSIVE way to get reverse DNS records
To: Henry Nelson <netb@yuba.ne.jp>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 11/14/2006 16:13:02
--pgp-sign-Multipart_Tue_Nov_14_16:12:54_2006-1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

At Mon, 13 Nov 2006 22:59:26 -0500,
Steven M. Bellovin wrote:
>=20
> You may still have trouble with hosts that think that a generic IP address
> like that can't be legit.  Not much I can do about that, I fear.

Using the ISP's generic PTR as your hostname won't actually help at all
to get mail directly to any of those of us who use simple RE patterns to
detect PTR target names that might, for all we can tell, be nothing more
than mindless spamware-infected zombie toasters. :-)

So, if you don't want your client-SMTP connect to appear to be coming
from a mindless toaster then you need a real plain-looking hostname
(perhaps with the letters "smtp" or "mail" in it), and you need your PTR
to match it, exactly.

Assuming I wasn't also verifying the greeting name then I would block
the same matching patterns on greeting names too (but if I do verify
them against the PTR, as I do on some sites, then I would catch the
toaster-looking PTR with the PTR target name patterns).

(As an aside I'm hoping a really good greylisting implementation will be
less of an impact against quality of service than I fear it will, _and_
that it will stand up in the war for the longer term, in which case I
may relax my view on toaster-looking hostnames -- it is a pain to
maintain those REs, and they do start getting complex quite quickly if
you're not careful.)

You really do need a PTR for any client-SMTP host these days, and you
really do need it/them to exactly match your hostnames.

However unless you really do have a /24 or more then you don't really
want or need your ISP to delegate the PTR to your nameservers with any
CNAME tricks, _unless_ you really think you need to change your
hostnames more often than you want to bug them to do the same to the
PTRs.  You probably should not be running DNS on a residential service
anyway, at least not without secondaries on better connected subnets!

(No offense intended against anyone who runs NetBSD on their toaster!)

BTW, the right thing for all you who are stuck on "residential" services
to do is to co-locate your mail server somewhere, anywhere, where you
can get all the right services, including PTRs, root passwords, etc., at
the right price.  If you can't afford the kind of services you want then
get your friends to chip in!  There are probably millions of hosting
services all around the world (there are certainly many thousands) and
you can easily use whichever one suits your needs and which will accept
your business.

--=20
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>

--pgp-sign-Multipart_Tue_Nov_14_16:12:54_2006-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: //tjD/Pus3uEPXl7jPoazsVQX498qTAT

iQA/AwUBRVoxXWJ7XxTCWceFEQL1gQCg1uNJ4OiVtls2Kv989ghMGanFtMMAoLJN
WELpKhc9ofh6VjOm3rXGYr43
=vOhW
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Tue_Nov_14_16:12:54_2006-1--