To:
Kevin Darcy <kcd@daimlerchrysler.com>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Thu, 20 Mar 2003 02:40:42 +0100
In-Reply-To:
<3E78AE81.7080405@daimlerchrysler.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
At 12:53 PM -0500 2003/03/19, Kevin Darcy wrote:
> But I think we
> should stop recommending it for end nodes. End-node reverse DNS just
> nourishes the myth that you can reliably tell who/where/what
> something/someone is just by doing a reverse lookup on their source
> address, a myth from whence springs wrongheaded security
> methodologies, bogus "traffic-shaping" schemes and similar balderdash.
Just because something doesn't work all the time doesn't mean
that it's not valuable. My car doesn't work 100% of the time. Does
that mean that I should throw it away?
Sorry, this is an absolutely ridiculous argument.
There are spaces in which reverse DNS doesn't work as well as it
could/should. These primarily have to do with IP addresses that are
dynamically assigned. That issue can be resolved by having the
process that assigns the dynamic address also update the reverse DNS.
That could be further improved by having a secure mechanism for any
node to update it's own reverse DNS for itself.
Sure, it's not going to work 100% of the time. But it's a damn
site better than nothing, which is what you propose.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.