To:
Brad Knowles <brad.knowles@skynet.be>
cc:
Kevin Darcy <kcd@daimlerchrysler.com>, <dnsop@cafax.se>
From:
Dean Anderson <dean@av8.com>
Date:
Fri, 21 Mar 2003 15:59:11 -0500 (EST)
In-Reply-To:
<a05200f37baa11f10f0aa@[10.0.1.2]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse for IPv6.
The answer is "yes". You seem to be one of the "wacko's" (your term), that are abusing reverse---Otherwise, you'd not be using terms like "break DNS". Non-wacko's (Ok, from now on I'll use another word) know that Reverse is a convenience only. If it didn't exist, only the convenience of seeing a name on a traceroute is lost. Essentially, you are exemplary of the reason is should be deprecated: People who share your beliefs about reverse put too much trust in it, they _depend_ on it in some way, and that is bad enough that we need to get rid of it. Its just like 3-wheeled ATV's (banned in the US)--They handle like snowmobiles, and really aren't much more dangerous, but some people put too much faith in the concept that if you turn the wheel (without leaning), the vehicle should still turn and not roll over. Because of that, the many people who can safely operate the 3wheelers are denied, for the safety of those who can't. --Dean On Fri, 21 Mar 2003, Brad Knowles wrote: > At 1:46 PM -0500 2003/03/21, Kevin Darcy wrote: > > > I was referring specifically to the use of reverse DNS as a > > pseudo-authentication mechanism. > > That is just one of many uses of the DNS, albeit not one of it's best. > > > Kick out that crutch, and the > > folks who were using it will gravitate towards legitimate, > > crypto-based authentication mechanisms (which hopefully should > > be independent of the underlying -- IPv4 versus IPv6 -- > > protocol suites). Carry end-node reverse DNS forward into the > > IPv6 world, and you'll *never* get rid of the bogus > > authentication mechanisms... > > Okay, so we're going to break the DNS because one particular > mis-application causes security issues elsewhere, such as with new > protocol standards like IPv6. > > Do we break the DNS every single time some whacko comes up with a > bizarre idea to abuse the DNS in yet another way to inappropriately > solve some other problem?!? > > > Seems to me that we could instead require that IPv6 be fixed to > require crypto-enabled authentication, instead of breaking the DNS. > > -- > Brad Knowles, <brad.knowles@skynet.be> > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > -Benjamin Franklin, Historical Review of Pennsylvania. > > GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+ > !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) > tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) > #---------------------------------------------------------------------- > # To unsubscribe, send a message to <dnsop-request@cafax.se>. > #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.