To:
Simon Josefsson <simon+dnsop@josefsson.org>
Cc:
dnsop@cafax.se
From:
Randy Bush <randy@psg.com>
Date:
Thu, 28 Feb 2002 15:37:19 -0800
Sender:
owner-dnsop@cafax.se
Subject:
Re: secure-ddns-howto.html
>> and it's not the forward lookup, as you do not know that the laptop >> has a sufficient or reliable trust association with the forward dns, >> or if the forward updata has already succeeded. > > If the laptop does not have a sufficient or reliable trust association > with the forward DNS, I don't see why I should let it pollute my > reverse zone with a DNS name that points to that forward zone. but the dhcp server has no way of knowing if the laptop has a trust relationship with the forward server. so you can't test that. when the trust relationships ain't there, they just ain't there. and you have no way of knowing if an attempt to update the forward failed, failed temporarily, succeeded, ... it's not that someone is refusing to tell you. no one can. i agree that it would be nice if the above was untrue. but, until it is, if it does not make you comfortable, then don't run this stuff to update your reverse dns. as you note, the threats which might use this weakness are not earth- shattering. randy