Performance Issues - PTR Records
Jimmy Hess
mysidia at gmail.com
Mon Nov 7 08:51:07 UTC 2011
On Mon, Nov 7, 2011 at 1:34 AM, <Valdis.Kletnieks at vt.edu> wrote:
> On Mon, 07 Nov 2011 01:09:19 CST, Robert Bonomi said:
>> You're missing some 'obvious' considerations. Consider a spam complaint
>> sent with 'full headers' included. The rDNS _at_the_time_of_the_crime_
>> is present in the complaint.
> And if the rDNS isn't provided, any sane MTA will have included the IP address
> and timestamp involved, which shouldn't take you all *that* much longer to
> track down to one of your users.
I wouldn't take for granted that "IP address plus timestamp" can be
used to track down
a user after the fact. This is not always the case, plenty of times
it is not; the user may not be logged on anymore, and there might be
no historical data available, or the lifetime of the historical data
short enough, that it expired before the complaint came in, possibly
24 hours or more later. Especially not on shared LANs, where an
unruly user might actually select some random IP address and use it
without permission.
The RDNS will help in some of those cases if you don't keep/have
sufficient information to identify
a user by IP address, if your ability to create a mapping is
unreliable... for example,
you can't really be sure about accurate clock synchronization in the
timestamps of
the MTAs to any detail info you may have.
But even with RDNS there is still a matching problem... DNS records
have TTLs. The old mapping for an IP address can live in a cache for a
significant amount of time.
Sometimes unruly DNS servers or unruly applications fail to correctly
implement DNS, and wind up holding a record past its TTL... an "old
PTR mapping" for the IP address may be reported in message headers.
The result can be a previous customer's ID in such a scheme would
appear in the complaint.
Now I suppose you could include another piece of info in the reverse record
<custid>.registeredat<timestamp>.checksum
And then if the purported timestamp in the complaint is after the
'next DNS record registration time' + TTL
you know that the RDNS on the complaint listed is invalid
To maintain integrity in that case... you would need to ensure the IP
address could not be recycled to another user before all DNS records
cached at the logoff time + DNS registration interval expired.
--
-JH
More information about the NANOG
mailing list