On Wed, 2010-02-24 at 08:11 -0800, Daniel B. Thurman wrote:
> I am trying to get a handle on how to properly
> assign DNS PTR records, given these conditions:
>
> 1) Single machine containing:
> a) DNS Server
> b) Sendmail Server
>
> ...
>
> The problem here is assigning the PTR, since
> only ONE reverse IP address is allowed.
The usual technique is to assign an A record to the hostname you're
giving the device (the name that identifies the machine amongst your
collection of equipment, or someone else's collection), with a
correlating PTR record. Then, you add additional A, MX, and CNAMES for
the pretty hostnames you want people to know you by.
e.g. hostname of "serverone"
additional pretty names of mail, mx, www, ftp, and so on, and so forth.
(Have a look at how a few ISPs or hosting services do this.)
If you're going to play with HTTPS and certificates, then you may want
to avoid using multiple pretty names, and just one consistent hostname
with everything.
e.g. hostname of "fred"
PTR for IP back to fred
MX pointing to fred
That'll make it easier to use the same certificate for everything. Yes,
you can have certificates that apply to more than just one specific
hostname, but people often get that wrong.
With multiple PTRs, you can expect random behaviour from different
things. What you test, now, mayn't apply to something else querying the
PTR. And you might be bashing your head against a brick wall if you
have to deal with something that insists you can only have one PTR per
IP.
> some programs do a reverse IP check to reduce phishing/spamming?
The clever ones will find *your* IP, do the PTR check, then check if
that PTR IP resolves back to one of your domain names (one the same as
in the first query).
e.g. Mail from example.com
A record check says 192.168.1.2
PTR check says that IP points to www.example.com
A record check says 192.168.1.2
Conclusion is that the various hostnames are the same site.
And manage to handle the situation where names don't directly match,
such as when you have external hosting, but the PTR/Reverse IP checks
point to the host's domain names rather than your own. (A bit more than
just one forward and back checking would be needed to check that you're
legitimately using a service with mismatching names.)
e.g. Mail from example.com
A record check says 192.168.1.2
PTR check says example.net (woo, different domain, might be fishy)
A record check says 192.168.1.2 (same IP, probably okay)
Conclusion is that the various domainnames are the same site.
Dumb checks will fall apart when they find different domain names while
doing forward and backward checks, then do nothing more, prematurely
assuming that it's *bad*. You'll lose mail when things do dumb checks,
there's nothing you can do about that (if you can't make the forward and
backwards name resolution checks agree).
NB: Those pseudo check routines are just an illustration of *a*
technique you might go through, not necessarily what will be done.
> How is this to be properly handled?
> + Separate out DNS and Sendmail services to it's
> own machine as hinted in "example.org"?
Some say that's a good idea, because failure of one doesn't mean failure
of everything (multiple DNS servers, and backup mail servers on your
extra MX records), likewise for an exploit in one service being used to
attack the other. Others say you may as well use one machine, as a
breakdown in either DNS or mail puts you out of action, anyway.
> Is it possible/sensible to have DNS and Sendmail on
> the same machine?
Yes, I do that here.
--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
