Re: comments on -ietf-dnsop-ipv6-dns-issues-02

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 17 Mar 2003, Måns Nilsson wrote:
> > ==> one might note that in the case of reverse DNS lookup where a wildcard
> > would be returned (the lazy/pragmatic ISP scenario), the result would be
> > worthless anyway (ie. not useful as a security mechanism).  So this may be
> > a protocol concern, but not really an operational one as far as I can see.
> 
> But handing out a reverse answer is sometimes a performance boost, keeping
> old broken (but v6-aware) servers from timing out on a DNS reverse query. 
> Sounds operational to me. 

I agree with you on this aspect of operational.

I should have been more verbose.

What I was mainly referring to was the argument why a wildcard reverse DNS 
would not cut it: it doesn't work with DNSsec, or that it's operationally 
"evil".

My counter-argument are that:
 1) DNSsec is unnecessary, even dangerous, with dummy records which have 
no security properties.  If those *were* securable, people would just 
misuse them.  Remember, we're discussing something with a poiinter to
a.b.c.d.dynrev.arpa or a.b.c.d.foo.com, where a.b.c.d is the IP address.
(PTR to bar.foo.com would be different, but *real* population of reverse 
records was an entirely differnet issue.)

 2) operators who don't provide reverse-IP records, or don't delegate 
them, can be considered evil anyway.  They're lazy/pragmatic/what have 
you; you just have to pick between two evils, and a wildcard one may be a 
lesser one (but this probably should be analyzed a bit more).

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.