To:
dnsop@cafax.se
From:
Kevin Darcy <kcd@daimlerchrysler.com>
Date:
Fri, 21 Mar 2003 13:46:01 -0500
In-Reply-To:
<002901c2efd7$400f8040$232670c0@nic.mil>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030312
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreversefor IPv6.
I was referring specifically to the use of reverse DNS as a
pseudo-authentication mechanism. Kick out that crutch, and the folks who
were using it will gravitate towards legitimate, crypto-based
authentication mechanisms (which hopefully should be independent of the
underlying -- IPv4 versus IPv6 -- protocol suites). Carry end-node
reverse DNS forward into the IPv6 world, and you'll *never* get rid of
the bogus authentication mechanisms...
- Kevin
Jessica Little wrote:
><2cents>
>
>Start anew?!?...
>
>IMO, There's been a lot of progress, IPv6 wrt DNS, etc.,
>Unfortunately, the Foo Factor, can manifest itself at all levels and stages
>of the process... and cannot be always avoided by starting over...
></2cents>
>
>JL
>
>-----Original Message-----
>From: owner-dnsop@cafax.se [mailto:owner-dnsop@cafax.se] On Behalf Of Kevin
>Darcy
>Sent: Friday, March 21, 2003 12:44 PM
>To: dnsop@cafax.se
>Subject: Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse
>for IPv6.
>
>Brad Knowles wrote:
>
>
>
>>At 6:18 PM -0500 2003/03/20, Kevin Darcy wrote:
>>
>>
>>
>>>> You claim that reverse DNS causes harm. Can you provide
>>>>evidence
>>>> for this claim?
>>>>
>>>>
>>> The (un-Kerberized) versions of the "r-series" commands harm security
>>> infrastructure, and reverse DNS enables them to function.
>>>
>>>
>> So, we should break reverse DNS just so that r-commands don't
>>work? Excuse me?!? Do you recommend killing the patient just so that
>>you don't have to deal with their hangnail problem?!?
>>
>> I'm sorry, just because some morons choose to leave themselves
>>open to the r-command problem is not sufficient justification for no
>>longer doing reverse DNS.
>>
>>
>
>Not in and of itself, no, but our increased, multi-decade knowledge of
>the uses and abuses of reverse DNS does alter the original cost-benefit
>analysis'es inputs, to the point where reverse DNS now seems like more
>pain than gain, at least with respect to end-nodes, and/or at least with
>respect to IPv6, which is going to increase the "pain" without any
>corresponding anticipated increase in "gain". So maybe it's time to let
>go of the old baggage and start anew.
>
>
> - Kevin
>
>
>
>
>#----------------------------------------------------------------------
># To unsubscribe, send a message to <dnsop-request@cafax.se>.
>
>
>
>
>
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.