PTR records are a big elephant and they tell us a lot about what happens when organizational realities meet aspiration: what this all comes down to is finding levers of control over service access.
Mark Delaney has been working on what I will call "service control", wherein some own device (a "client") contacts a service and said service is trying to authenticate the client based on the indicators at its disposal, one of which is the client's address and a PTR record is one such artifact (along with TXT records, client SSL certs, other authentication tokens, etc.). The records Mark is creating are intended for consumption outside of the own network's sphere of control: they're generated/defined on the own network and queried for elsewhere. My area of concern is the own network, primarily "access control". It implicitly starts with a DNS lookup because that is how the own network client enumerates and identifies the services it wishes to contact. The client is seldom utilizing artifacts at this level to authenticate the service; it is of little concern to the client, however it is of concern to me studying the overall integrity of the own network. The records I am creating are intended for consumption within the network's sphere of control: they're generated based on data returned from elsewhere for queries originating on the own network. While I wasn't paying attention, the pace of consolidation has only increased. At this point in time, if I do an organic reverse (PTR) lookup for an address observed from my own / SOHO network the odds are better than even that the returned value will resolve to a name under amazonaws.com if it resolves at all; about 70% of addresses (Derrida "don't") resolve to one of the top five infrastructure players (taking those unresolvable queries into account, Cloudflare and Fastly aren't big on PTR records). The positive news in this state of affairs is that the overwhelming majority of network connections (still) start with a DNS lookup and synthetic PTR records can be generated. As a defender you might not like what you see, but at least you can observe when you're trying to make rational decisions regarding what's on fire or might catch fire. Here's a writeup: https://github.com/m3047/rear_view_rpz/blob/main/utilities/PTR_Recs_Useless.md The actual "shape of things" is obviously going to depend on what the network is utilized for. Is anybody else looking at this? Thanks in advance... -- Fred Morris _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
