To:
Randy Bush <randy@psg.com>
Cc:
dnsop@cafax.se
From:
Simon Josefsson <simon+dnsop@josefsson.org>
Date:
Fri, 01 Mar 2002 00:25:36 +0100
In-Reply-To:
<E16gYou-000JqF-00@rip.psg.com> (Randy Bush's message of "Thu,28 Feb 2002 14:14:36 -0800")
Sender:
owner-dnsop@cafax.se
User-Agent:
Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2.50(i686-pc-linux-gnu)
Subject:
Re: secure-ddns-howto.html
Randy Bush <randy@psg.com> writes: >> What I mean is, if I say `send fqdn.fqdn "www.ietf.org.";' in >> dhclient.conf, will the DHCP/DNS server put a PTR for the IP I receive >> that says www.ietf.org.? > > yes Is that good? >> This solution to this is pretty obvious though > > do tell > > and it's not the forward lookup, as you do not know that the laptop > has a sufficient or reliable trust association with the forward dns, > or if the forward updata has already succeeded. If the laptop does not have a sufficient or reliable trust association with the forward DNS, I don't see why I should let it pollute my reverse zone with a DNS name that points to that forward zone. And yes, I was thinking about forward lookup, possible after some delay to let the forward server update itself. More elaborate approaches could be possible as well (server looks up KEY(fqdn.fqdn) and only adds the name if the client provides a blob signed with the private key corresponding to KEY(fqdn.fqdn) in the DHCP request). Of course, this whole issue falls back to what PTR is used for. I can't come up with even one application that internally use PTR for anything good. Not without DNSSEC at least, but there is no DNSSEC.