Kerberos behavior in the presence of multiple PTR records

Yury Sulsky yury.sulsky at
Thu Mar 14 19:19:28 EDT 2013

On Thu, Mar 14, 2013 at 4:20 PM, Nico Williams <nico at>wrote:

> To my knowledge no RFC says that only one PTR RR may exist in any
> given PTR RRSet.  In practice all implementations of getnameinfo(),
> gethostbyaddr(), and the like, use only the first PTR RR in the PTR
> RRSet for obvious semantic reasons: such code is looking for a
> canonical name for an IP address, and more than one name means there's
> no canonical name, thus either failure or "pick one" are the only
> options.

Does that mean it's just always a mistake for there to exist more than one
PTR record for a given IP address? I just assumed it's a set operation,
just like you might have multiple A records pointing to the same IP
address, you might have multiple PTR records pointing back at those names.

In any case, you should never want to use PTR RR lookups for principal
> name canonicalization.  (Not unless you are using DNSSEC, which you're
> almost certainly not.)

I think this code only uses the reverse lookup as a sanity check, which
fails in an inconsistent manner if there is more than a single PTR record
(depending on which one is returned first).

> Nico
> --

More information about the Kerberos mailing list