happyDomain/help
2
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
help/content/reference/checkers/reverse-zone.en.md
Pierre-Olivier Mercier 5ccdd8892f
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
docs: add checker reference pages and update homepage feature list 
Add individual reference pages for all domain health checkers (EN/FR),
update the homepage feature descriptions in both languages to highlight
monitoring, notifications, and domain availability checks.
2026-06-11 17:27:47 +09:00

43 lines
3.3 KiB
Markdown
Raw Permalink Blame History

---
date: 2026-06-11T09:00:00+02:00
author: nemunaire
title: Reverse zone
description: "Inspects the PTR records of an in-addr.arpa or ip6.arpa reverse zone for FCrDNS, target resolvability, hostname syntax, generic names and TTL hygiene."
weight: 110
---
The **Reverse zone** checker inspects the `PTR` records of a reverse DNS zone (`in-addr.arpa` or `ip6.arpa`) and validates that they are well formed and consistent with forward DNS. It verifies Forward-Confirmed Reverse DNS (FCrDNS), that targets resolve and are syntactically valid host names, flags generic or auto-generated names and short TTLs, and catches multiple-`PTR`-per-IP violations (RFC 1912 §2.1). Correct reverse DNS matters in practice: mail servers and SSH endpoints routinely reject or downgrade connections from IPs without proper FCrDNS.
This checker is **zone-level**: it operates on the full content of a reverse zone (it applies to the domain and reads the whole zone).
## What it checks
| Finding code | What it verifies | Severity |
|---|---|---|
| `reverse_zone.is_reverse_arpa` | The zone is under `in-addr.arpa` or `ip6.arpa`. | Critical |
| `reverse_zone.has_ptrs` | The reverse zone declares at least one `PTR` record. | Warning |
| `reverse_zone.fcrdns` | Every `PTR` target's `A`/`AAAA` round-trips back to the original IP (Forward-Confirmed Reverse DNS). | Critical |
| `reverse_zone.target_resolves` | Every `PTR` target resolves to at least one `A` or `AAAA` record. | Critical |
| `reverse_zone.single_ptr_per_ip` | Flags IPs with multiple `PTR` records (RFC 1912 §2.1 recommends exactly one). | Warning |
| `reverse_zone.target_syntax` | Every `PTR` target is a syntactically valid host name. | Critical |
| `reverse_zone.generic_hostname` | Flags `PTR` targets that embed the IP or match common ISP auto-generated patterns. | Warning |
| `reverse_zone.ttl_hygiene` | Flags `PTR` records whose TTL is below the configured minimum. | Warning |
| `reverse_zone.truncated` | Reports when the zone has more `PTR`s than the configured cap allows to inspect. | Info |
## Options
| Option | Meaning | Default |
|---|---|---|
| `requireForwardMatch` | When enabled, a `PTR` whose target does not resolve back to the original IP is critical (otherwise warning). Mail and SSH servers require FCrDNS. | `true` |
| `allowMultiplePTR` | When disabled, more than one `PTR` at the same owner is reported as warning (RFC 1912 §2.1 recommends a single `PTR` per IP). | `false` |
| `minTTL` | `PTR` records with a TTL below this threshold (in seconds) are flagged as warning. | `300` |
| `flagGenericPTR` | When enabled, `PTR` targets that embed the dotted IP or match common ISP auto-generated patterns are flagged as warning. | `true` |
| `maxPTRsToCheck` | Caps the number of `PTR` records inspected per run, protecting the checker against very large reverse zones. | `1024` |
{{% notice style="info" title="Forward-Confirmed Reverse DNS" %}}
FCrDNS means the `PTR` target, looked up forward, resolves back to the original IP address. A `PTR` that points to a host whose `A`/`AAAA` does not include that IP fails the round-trip and is treated as a misconfiguration by many mail and SSH servers.
{{% /notice %}}
## In happyDomain
Enable the Reverse zone checker on a reverse (`in-addr.arpa` / `ip6.arpa`) domain from its **Checks** view. See {{< relref "/pages/checks" >}} for the full workflow.
Reference in a new issue View git blame Copy permalink