User:David MacQuigg/Forward-confirmed reverse DNS: Difference between revisions
imported>David MacQuigg (New page: '''Edit status:''' '''Definition:''' Method for authenticating an association of a domain name with an IP address. {{TOC|right}} This article is a subtopic in a group of articles under [...) |
imported>David MacQuigg No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
'''Edit status:''' | '''Edit status:''' copied to main | ||
'''Definition:''' Method for authenticating an association of a domain name with an IP address. | '''Definition:''' Method for authenticating an association of a domain name with an IP address. | ||
| Line 6: | Line 6: | ||
This article is a subtopic in a group of articles under [[Email system]]. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of [[Email authentication]] and with the article on [[Reverse DNS]]. | This article is a subtopic in a group of articles under [[Email system]]. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of [[Email authentication]] and with the article on [[Reverse DNS]]. | ||
'''Forward-Confirmed reverse DNS''' (FCrDNS) is an email authentication method that uses the [[IP address|source IP address]] in a [[TCP]] connection to | '''Forward-Confirmed reverse DNS''' (FCrDNS) is an email authentication method that uses the [[IP address|source IP address]] in a [[TCP]] connection to verify a domain name. A receiver does a [[Reverse DNS]] query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected. | ||
=== Limitations === | === Limitations === | ||
FCrDNS says nothing about the '''authorization''' of an IP address to send email. There must be some external information, perhaps a "PTR term" in an [[Sender Policy Framework|SPF]] record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP block, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to set up their own PTR records. | |||
The | The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.<ref>For a thorough discussion of these problems, see the Internet Draft "Considerations for the use of DNS Reverse Mapping" by Senie and Sullivan (March 2008).</ref> Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter. | ||
=== How it works === | === How it works === | ||
See the email authentication example in [[Reverse DNS]]. | |||
Latest revision as of 14:35, 28 October 2009
Edit status: copied to main
Definition: Method for authenticating an association of a domain name with an IP address.
This article is a subtopic in a group of articles under Email system. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of Email authentication and with the article on Reverse DNS.
Forward-Confirmed reverse DNS (FCrDNS) is an email authentication method that uses the source IP address in a TCP connection to verify a domain name. A receiver does a Reverse DNS query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected.
Limitations
FCrDNS says nothing about the authorization of an IP address to send email. There must be some external information, perhaps a "PTR term" in an SPF record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP block, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to set up their own PTR records.
The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records.[1] Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.
How it works
See the email authentication example in Reverse DNS.
- ↑ For a thorough discussion of these problems, see the Internet Draft "Considerations for the use of DNS Reverse Mapping" by Senie and Sullivan (March 2008).