Re: [RETRANSMIT] Re: Radical Surgery proposal: stopdoingreverse for IPv6.

[Brad Knowles <brad.knowles@skynet.be>]

At 6:18 PM -0500 2003/03/20, Kevin Darcy wrote:

>>          You claim that reverse DNS causes harm.  Can you provide evidence
>>  for this claim?
>
>  The (un-Kerberized) versions of the "r-series" commands harm security
>  infrastructure, and reverse DNS enables them to function.

	So, we should break reverse DNS just so that r-commands don't 
work?  Excuse me?!?  Do you recommend killing the patient just so 
that you don't have to deal with their hangnail problem?!?

	I'm sorry, just because some morons choose to leave themselves 
open to the r-command problem is not sufficient justification for no 
longer doing reverse DNS.  Fix that problem where it exists, namely 
within the set of commands that are enabled by default from the 
vendors, or by updating the "best security practices" documentation 
to suit.

>  Simplistic spam-catching techniques based exclusively on reverse lookups harm
>  intended mail recipients with their frequent false positives.

	See above.  This would be like throwing out the whole planet with 
the bath water, not just the baby.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.