Performance Issues - PTR Records

Jimmy Hess mysidia at gmail.com
Mon Nov 7 08:51:07 UTC 2011


On Mon, Nov 7, 2011 at 1:34 AM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Mon, 07 Nov 2011 01:09:19 CST, Robert Bonomi said:
>> You're missing some 'obvious' considerations.  Consider a spam complaint
>> sent with 'full headers' included.  The rDNS _at_the_time_of_the_crime_
>> is present in the complaint.
> And if the rDNS isn't provided, any sane MTA will have included the IP address
> and timestamp involved, which shouldn't take you all *that* much longer to
> track down to one of your users.

I wouldn't take for granted that "IP address plus timestamp"  can be
used to track down
a user after the fact.   This is not always the case,  plenty of times
it is not;  the user may not be logged on anymore, and there might be
no historical data available, or the lifetime of the historical data
short enough, that it  expired before the complaint came in, possibly
24 hours or more later.  Especially not on shared LANs,  where an
unruly user might actually select some random IP address and use it
without permission.

The RDNS will help in some of those cases if you don't keep/have
sufficient information to identify
a user by IP address, if your ability to create a mapping is
unreliable...  for example,
you can't really be sure  about accurate clock synchronization in the
timestamps of
the MTAs  to any detail info you may have.

But even with RDNS there is still a matching problem...   DNS records
have TTLs. The old mapping for an IP address can live in a cache for a
significant amount of time.

Sometimes unruly DNS servers or unruly applications fail to correctly
implement DNS, and wind up holding a record past its TTL...   an  "old
PTR mapping"  for the IP address may be reported in message headers.

The result can be a previous customer's ID in such a scheme would
appear in the complaint.
Now I  suppose you could include another piece of info in the reverse record

<custid>.registeredat<timestamp>.checksum

And then if the purported timestamp in the complaint is after the
'next DNS record registration time'  + TTL
you know that the RDNS on the complaint listed is invalid

To maintain integrity in that case...  you would need to ensure the IP
address could not be recycled to another user  before all DNS records
cached at the logoff time + DNS registration interval expired.

--
-JH




More information about the NANOG mailing list