Is it valid to have several IP addresses resolving back (PTR) to one name that doesn't match either of the relevant A records?

domain-name-system reverse-dns

While the informational (non-standard) RFC 1912 from 1996 suggests:

Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all.

In spite of that isn't a requirement for PTR records to match A records. The most common issue you will see from PTR mismatches are in mail delivery. That said, I'd ensure that you at least point the records to domains you actually own and control.


The guidelines imposed by the standard defining RFCs are that the PTR record should point at the canonical hostname for the associated IP, and that it not point at an alias. This is important since your question seems to suggest that you're thinking of having one point at a CNAME in some cases, and bogus values in many of them.

RFC1034 §3.5 (kudos to @Håkan Lindqvist, who keeps me honest as always)

Address nodes are used to hold pointers to primary host names in the normal domain space.

RFC1034 §3.6.2:

Domain names in RRs which point at another name should always point at the primary name and not the alias. This avoids extra indirections in accessing information.

Both RFCs were written before clear definitions for SHOULD NOT and MUST NOT existed (RFC2119). This is unfortunate because DNS is the glue of the internet and it's common for many recommendations in the original standards to be bent until further reinforced by supplementary RFCs. That said, the intent is fairly obvious here. It's one thing to use DNS as a general purpose hierarchical database when using the appropriate record types, it's another to ignore the recommendations completely.

Will you break things if you proceed? Probably not, but it's still not a terribly good approach, especially if you intend for this to not map back to a value that is useful to the user or software. (making DNS recursors do more work for no added value)

Related

log format ignored for frontend 'http-in' since it has no log address
Setting timezone to UTC in unattended install
What does having * * * mean in the command traceroute ? and How can you cope with that situation?
Windows PowerShell - How to view commands history date/time
Receiving DMARC reports for emails I do not send
On windows 10, how do I setup a VPN client so that all users can use it (i.e. available before login)
How to resolve "The server you are trying to access is using an authentication protocol not supported by this version of Office"?
Error promoting 2012 R2 server to domain controller on 2003 domain
DNS security & .com AD Domains, What are the dangers to my AD Domain if someone squats my public .com domain
How do you check what version of Server Message Block client a workstation is using on Windows?
How do ulimit settings impact Linux?
HTTP/2 on CentOS 7 on Apache with PHP7