Re: [RETRANSMIT] Re: Radical Surgery proposal: stopdoingreverse for IPv6.

[Brad Knowles <brad.knowles@skynet.be>]

At 1:46 PM -0500 2003/03/21, Kevin Darcy wrote:

>  I was referring specifically to the use of reverse DNS as a
>  pseudo-authentication mechanism.

	That is just one of many uses of the DNS, albeit not one of it's best.

>                                   Kick out that crutch, and the
>  folks who were using it will gravitate towards legitimate,
>  crypto-based authentication mechanisms (which hopefully should
>  be independent of the underlying -- IPv4 versus IPv6 --
>  protocol suites). Carry end-node reverse DNS forward into the
>  IPv6 world, and you'll *never* get rid of the bogus
>  authentication mechanisms...

	Okay, so we're going to break the DNS because one particular 
mis-application causes security issues elsewhere, such as with new 
protocol standards like IPv6.

	Do we break the DNS every single time some whacko comes up with a 
bizarre idea to abuse the DNS in yet another way to inappropriately 
solve some other problem?!?


	Seems to me that we could instead require that IPv6 be fixed to 
require crypto-enabled authentication, instead of breaking the DNS.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.