Kerberos behavior in the presence of multiple PTR records

[Nico Williams]

To my knowledge no RFC says that only one PTR RR may exist in any
given PTR RRSet.  In practice all implementations of getnameinfo(),
gethostbyaddr(), and the like, use only the first PTR RR in the PTR
RRSet for obvious semantic reasons: such code is looking for a
canonical name for an IP address, and more than one name means there's
no canonical name, thus either failure or "pick one" are the only
options.

In any case, you should never want to use PTR RR lookups for principal
name canonicalization.  (Not unless you are using DNSSEC, which you're
almost certainly not.)

Nico
--