Why multiple PTR records in DNS is not recommended?

domain-name-system query ptr-record fcrdns

The PTR record for a reverse name (eg 7.2.0.192.in-addr.arpa) is expected to identify the canonical name that is associated with that IP address.

Both the gateway pointers at network nodes and the normal host pointers at full address nodes use the PTR RR to point back to the primary domain names of the corresponding hosts.

From: https://www.rfc-editor.org/rfc/rfc1035#section-3.5

This expectation is reflected in software that does reverse lookups; often such software specifically expects a single name back and it expects to be able to use that name as a canonical name for that host. If there are multiple names returned it's common to just take one at random because they have absolutely no way of knowing which one you would have preferred for this particular occasion.

As the general expectation is that there is one canonical name associated with an IP address and that name is what the PTR should point to, adding multiple names generally has no upside (nothing expects any random A/AAAA record to have a matching PTR) but it has a potential downside as it can cause strange results as you have no control over which of your PTR records will be used if you have added more than one.

In essence, if you have multiple PTR records you do not actually make your host appear more legitimate but rather the opposite, you run the risk of failing some validation or otherwise breaking something.

As a perhaps somewhat extreme metaphor, handing over five passports all with your photo but with different names at the airport is probably not going to be received as well as if you just hand over one.


It all comes down to unpredictable behavior since the RFC does not impose a limit or a way to handle these PTR records. Most implementations will choose round-robin and you will not achieve your desired result (perfect matching between many names to a single IP).

You can read more about this here: https://supernoc.rogerstelecom.net/pdfs/multiple-ptrs.pdf

Also, check this bug from the Glibc's getnameinfo function (https://sourceware.org/bugzilla/show_bug.cgi?id=5790). How can you guarantee this isn't happening in the infinite number of different systems around the Internet (some of them very old and unpatched) ?

To reinforce, as a rule of thumb, it's always good to avoid behavior that is unspecified and unpredictable. Unfortunately, multiple PTR records for a single IP fall into that category (as far as RFCs are concerned).

Related

DNS just started resolving my server.prod addresses to 127.0.53.53
FTP and Apache permission issues
`sudo echo "bla" >> /etc/sysctl.conf` permission denied
Should I use IPv6 only or both IPv4 and IPv6 in my web server?
Find out which process is changing a file
Apache Default/Catch-All Virtual Host?
How can I determine what is taking up so much space? [duplicate]
How to handle relative urls correctly with a nginx reverse proxy
How to configure vsftpd to work with passive mode
vSphere education - What are the downsides of configuring VMs with *too* much RAM?
How to stop people from using my domain to send spam? [duplicate]
Prevent duplicate cron jobs running