To:
dnsop@cafax.se
From:
Kevin Darcy <kcd@daimlerchrysler.com>
Date:
Fri, 21 Mar 2003 13:46:01 -0500
In-Reply-To:
<002901c2efd7$400f8040$232670c0@nic.mil>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030312
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreversefor IPv6.
I was referring specifically to the use of reverse DNS as a pseudo-authentication mechanism. Kick out that crutch, and the folks who were using it will gravitate towards legitimate, crypto-based authentication mechanisms (which hopefully should be independent of the underlying -- IPv4 versus IPv6 -- protocol suites). Carry end-node reverse DNS forward into the IPv6 world, and you'll *never* get rid of the bogus authentication mechanisms... - Kevin Jessica Little wrote: ><2cents> > >Start anew?!?... > >IMO, There's been a lot of progress, IPv6 wrt DNS, etc., >Unfortunately, the Foo Factor, can manifest itself at all levels and stages >of the process... and cannot be always avoided by starting over... ></2cents> > >JL > >-----Original Message----- >From: owner-dnsop@cafax.se [mailto:owner-dnsop@cafax.se] On Behalf Of Kevin >Darcy >Sent: Friday, March 21, 2003 12:44 PM >To: dnsop@cafax.se >Subject: Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse >for IPv6. > >Brad Knowles wrote: > > > >>At 6:18 PM -0500 2003/03/20, Kevin Darcy wrote: >> >> >> >>>> You claim that reverse DNS causes harm. Can you provide >>>>evidence >>>> for this claim? >>>> >>>> >>> The (un-Kerberized) versions of the "r-series" commands harm security >>> infrastructure, and reverse DNS enables them to function. >>> >>> >> So, we should break reverse DNS just so that r-commands don't >>work? Excuse me?!? Do you recommend killing the patient just so that >>you don't have to deal with their hangnail problem?!? >> >> I'm sorry, just because some morons choose to leave themselves >>open to the r-command problem is not sufficient justification for no >>longer doing reverse DNS. >> >> > >Not in and of itself, no, but our increased, multi-decade knowledge of >the uses and abuses of reverse DNS does alter the original cost-benefit >analysis'es inputs, to the point where reverse DNS now seems like more >pain than gain, at least with respect to end-nodes, and/or at least with >respect to IPv6, which is going to increase the "pain" without any >corresponding anticipated increase in "gain". So maybe it's time to let >go of the old baggage and start anew. > > > - Kevin > > > > >#---------------------------------------------------------------------- ># To unsubscribe, send a message to <dnsop-request@cafax.se>. > > > > > #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.