To:
Måns Nilsson <mansaxel@sunet.se>
cc:
dnsop@cafax.se
From:
Pekka Savola <pekkas@netcore.fi>
Date:
Mon, 17 Mar 2003 18:12:39 +0200 (EET)
In-Reply-To:
<574420000.1047911641@localhost>
Sender:
owner-dnsop@cafax.se
Subject:
Re: comments on -ietf-dnsop-ipv6-dns-issues-02
On Mon, 17 Mar 2003, Måns Nilsson wrote: > > ==> one might note that in the case of reverse DNS lookup where a wildcard > > would be returned (the lazy/pragmatic ISP scenario), the result would be > > worthless anyway (ie. not useful as a security mechanism). So this may be > > a protocol concern, but not really an operational one as far as I can see. > > But handing out a reverse answer is sometimes a performance boost, keeping > old broken (but v6-aware) servers from timing out on a DNS reverse query. > Sounds operational to me. I agree with you on this aspect of operational. I should have been more verbose. What I was mainly referring to was the argument why a wildcard reverse DNS would not cut it: it doesn't work with DNSsec, or that it's operationally "evil". My counter-argument are that: 1) DNSsec is unnecessary, even dangerous, with dummy records which have no security properties. If those *were* securable, people would just misuse them. Remember, we're discussing something with a poiinter to a.b.c.d.dynrev.arpa or a.b.c.d.foo.com, where a.b.c.d is the IP address. (PTR to bar.foo.com would be different, but *real* population of reverse records was an entirely differnet issue.) 2) operators who don't provide reverse-IP records, or don't delegate them, can be considered evil anyway. They're lazy/pragmatic/what have you; you just have to pick between two evils, and a wildcard one may be a lesser one (but this probably should be analyzed a bit more). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.