[Pdns-dev] pdns_recursor, export-etc-hosts creates round-robin PTRs

Andrew Boling aboling at gmail.com
Wed Jul 27 21:39:48 CEST 2011 

It did actually break something - Kerberos authentication performs a
clientside PTR record lookup against the host you're connecting to, and
compares the result against the identity that the server claims to have. If
there's a mismatch, then the authentication can't continue. Round-robin PTR
records create sporadic Kerberos authentication failures and force client
software to fall back on other authentication methods. Ignore what I said
about SSL certs, it's incorrect.

An option for the alternative behavior would indeed play nicely with
everything. Sorry about going the hypothetical route, I was just wondering
if there were any legitimate uses of round-robin PTR in the current approach
that I was failing to appreciate. (for my own education)


On Mon, Jul 25, 2011 at 9:26 AM, bert hubert <bert.hubert at netherlabs.nl>wrote:

> On Sat, Jul 23, 2011 at 06:07:44PM -0400, Andrew Boling wrote:
> > canonical name. The current implementation causes problems with software
> > that uses any form of name validation against PTR records (i.e. SSL certs
> or
> > Kerberos auth).
>
> Well.. I don't think that gets you far anyhow.
>
> > I am aware of the alternatives of using auth-zone or running a
> > separate authoritative server for the local domain, so this isn't a show
> > stopper for me. Round-robin PTRs do seem a little counter-intuitive
> though,
> > so I figured it wouldn't hurt to see how others felt about it.
>
> What we did was copy the behaviour of djbdns and several other tools that
> do
> it in this way.
>
> Was your question theoretical or is it actually breaking some things for
> you?
>
> We could of course add a flag to switch behaviour, but I'd only do so if
> someone is really hurt by what we do now.
>
> --
> PowerDNS Website: http://www.powerdns.com/
> PowerDNS Community Website: http://wiki.powerdns.com/
>
>
> >
> >
> > As an example, if /etc/hosts contains the following line:
> > 192.168.0.1    somehost.mydomain      somehost1 somehost2
> >
> > Queries against the DNS server will return records like so:
> > somehost:/etc/powerdns# host -t PTR 192.168.0.1
> > 1.0.168.192.in-addr.arpa domain name pointer somehost1.
> > 1.0.168.192.in-addr.arpa domain name pointer somehost.mydomain.
> > 1.0.168.192.in-addr.arpa domain name pointer somehost2.
> > somehost:/etc/powerdns# host -t PTR 192.168.0.1
> > 1.0.168.192.in-addr.arpa domain name pointer somehost2.
> > 1.0.168.192.in-addr.arpa domain name pointer somehost1.
> > 1.0.168.192.in-addr.arpa domain name pointer somehost.mydomain.
> >
> >
> > OS: Debian Squeeze
> > Version: 3.2 (OS-supplied binary distro, no recompile)
>
> > _______________________________________________
> > Pdns-dev mailing list
> > Pdns-dev at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20110727/20d55d21/attachment.htm>

More information about the Pdns-dev mailing list