Forward-confirmed reverse DNS: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>David MacQuigg
No edit summary
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 9: Line 9:
FCrDNS says nothing about the '''authorization''' of an IP address to send email.  There must be some external information, perhaps a "PTR term" in an [[Sender Policy Framework|SPF]] record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else."  Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP allocation, including dynamic addresses assigned to home computers.  Often these network owners are large telecommunication companies, and not responsive to domain owners who want to use their own domain names in PTR records.
FCrDNS says nothing about the '''authorization''' of an IP address to send email.  There must be some external information, perhaps a "PTR term" in an [[Sender Policy Framework|SPF]] record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else."  Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP allocation, including dynamic addresses assigned to home computers.  Often these network owners are large telecommunication companies, and not responsive to domain owners who want to use their own domain names in PTR records.


The FCrDNS method is one of the least reliable of the email authentication methods.  It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.<ref>For a thorough discussion of these problems, see the Internet Draft "Considerations for the use of DNS Reverse Mapping" by Senie and Sullivan (March 2008).</ref> Few receivers rely on FCrDNS as having any value by itself.  It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.
The FCrDNS method is one of the least reliable of the email authentication methods.  It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.  Few receivers rely on FCrDNS as having any value by itself.  It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.


=== How it works ===
=== How it works ===


See the email authentication example in [[Reverse DNS]].
Here are the steps for a receiver after getting a [[TCP]] connection request from a transmitter at IP address '''98.136.44.63.'''<br />
1) Do a reverse DNS query on the IP address.<br />
$ dig ptr 63.44.136.98.in-addr.arpa
...
;; ANSWER SECTION:
63.44.136.98.in-addr.arpa.  1200  IN  PTR  '''smtp108.prem.mail.sp1.yahoo.com.'''
...
2) Do a normal DNS query on the resulting "IPname".<br />
$ dig a smtp108.prem.mail.sp1.yahoo.com
...
;; ANSWER SECTION:
smtp108.prem.mail.sp1.yahoo.com.  1800  IN  A  '''98.136.44.63'''
...
==== Explanatory notes ====
The text forms shown here are from a terminal session using the [[BIND]] utility 'dig'. In a real email receiver, the queries and responses would be packets of the same data in a compact binary form.


=== Notes ===
'''in-addr.arpa''' is the branch of DNS holding all reverse query information.  ARPA was the US government agency which started the Internet.  The registry in now under the control of [[ICANN]].
{{reflist}}
 
'''PTR''' is a "pointer" record in DNS.  It "points" an address to a name, the opposite of an A record, which points a name to an address. 
 
The numbers in the ptr query are reversed, because of the way authority is delegated from the largest blocks to smaller blocks of IP addresses.  In the query, numbers are just treated as normal characters, so '63' is a subdomain of '44', which is a subdomain of '136', etc.
 
The second step is essential for authentication.  Without this a crooked domain owner could claim to be yahoo.com by simply publishing an A record with Yahoo's IP address.[[Category:Suggestion Bot Tag]]

Latest revision as of 06:00, 18 August 2024

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

This article is a subtopic in a group of articles under Email system. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of Email authentication and with the article on Reverse DNS.

Forward-Confirmed reverse DNS (FCrDNS) is an email authentication method that uses the source IP address in a TCP connection to verify a domain name. A receiver does a Reverse DNS query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected.

Limitations

FCrDNS says nothing about the authorization of an IP address to send email. There must be some external information, perhaps a "PTR term" in an SPF record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP allocation, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to use their own domain names in PTR records.

The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records. Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.

How it works

Here are the steps for a receiver after getting a TCP connection request from a transmitter at IP address 98.136.44.63.
1) Do a reverse DNS query on the IP address.

$ dig ptr 63.44.136.98.in-addr.arpa
...
;; ANSWER SECTION:
63.44.136.98.in-addr.arpa.  1200  IN  PTR  smtp108.prem.mail.sp1.yahoo.com.
...

2) Do a normal DNS query on the resulting "IPname".

$ dig a smtp108.prem.mail.sp1.yahoo.com
...
;; ANSWER SECTION:
smtp108.prem.mail.sp1.yahoo.com.  1800  IN  A  98.136.44.63
...

Explanatory notes

The text forms shown here are from a terminal session using the BIND utility 'dig'. In a real email receiver, the queries and responses would be packets of the same data in a compact binary form.

in-addr.arpa is the branch of DNS holding all reverse query information. ARPA was the US government agency which started the Internet. The registry in now under the control of ICANN.

PTR is a "pointer" record in DNS. It "points" an address to a name, the opposite of an A record, which points a name to an address.

The numbers in the ptr query are reversed, because of the way authority is delegated from the largest blocks to smaller blocks of IP addresses. In the query, numbers are just treated as normal characters, so '63' is a subdomain of '44', which is a subdomain of '136', etc.

The second step is essential for authentication. Without this a crooked domain owner could claim to be yahoo.com by simply publishing an A record with Yahoo's IP address.