To:
Kevin Darcy <kcd@daimlerchrysler.com>
Cc:
dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Fri, 21 Mar 2003 02:36:45 +0100
In-Reply-To:
<3E7A4C5A.BAF05F96@daimlerchrysler.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stopdoingreverse for IPv6.
At 6:18 PM -0500 2003/03/20, Kevin Darcy wrote: >> You claim that reverse DNS causes harm. Can you provide evidence >> for this claim? > > The (un-Kerberized) versions of the "r-series" commands harm security > infrastructure, and reverse DNS enables them to function. So, we should break reverse DNS just so that r-commands don't work? Excuse me?!? Do you recommend killing the patient just so that you don't have to deal with their hangnail problem?!? I'm sorry, just because some morons choose to leave themselves open to the r-command problem is not sufficient justification for no longer doing reverse DNS. Fix that problem where it exists, namely within the set of commands that are enabled by default from the vendors, or by updating the "best security practices" documentation to suit. > Simplistic spam-catching techniques based exclusively on reverse lookups harm > intended mail recipients with their frequent false positives. See above. This would be like throwing out the whole planet with the bath water, not just the baby. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.