To:
Kevin Darcy <kcd@daimlerchrysler.com>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Thu, 20 Mar 2003 02:40:42 +0100
In-Reply-To:
<3E78AE81.7080405@daimlerchrysler.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
At 12:53 PM -0500 2003/03/19, Kevin Darcy wrote: > But I think we > should stop recommending it for end nodes. End-node reverse DNS just > nourishes the myth that you can reliably tell who/where/what > something/someone is just by doing a reverse lookup on their source > address, a myth from whence springs wrongheaded security > methodologies, bogus "traffic-shaping" schemes and similar balderdash. Just because something doesn't work all the time doesn't mean that it's not valuable. My car doesn't work 100% of the time. Does that mean that I should throw it away? Sorry, this is an absolutely ridiculous argument. There are spaces in which reverse DNS doesn't work as well as it could/should. These primarily have to do with IP addresses that are dynamically assigned. That issue can be resolved by having the process that assigns the dynamic address also update the reverse DNS. That could be further improved by having a secure mechanism for any node to update it's own reverse DNS for itself. Sure, it's not going to work 100% of the time. But it's a damn site better than nothing, which is what you propose. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.