To:
Brad Knowles <brad.knowles@skynet.be>
cc:
Kevin Darcy <kcd@daimlerchrysler.com>, <dnsop@cafax.se>
From:
Dean Anderson <dean@av8.com>
Date:
Sat, 22 Mar 2003 13:35:24 -0500 (EST)
In-Reply-To:
<a05200f3abaa144e7cefa@[10.0.1.2]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse for IPv6.
On Sat, 22 Mar 2003, Brad Knowles wrote: > > If it didn't exist, only the convenience of > > seeing a name on a traceroute is lost. > > Others have already demonstrated what important uses that reverse > DNS is being put to. Instead of being a broken record, why don't you > try to address those issues? These issues have been addressed. There are no "important uses" that are appropriate for Reverse. ANY use of reverse beyond a convenience function is inappropriate, since those uses result in security vulnerabilities, or log vulnernabilities. You keep repeating the claim that we haven't addressed something. It is you who keep insisting that reverse can be used for 'full foward-reverse-forward' checks, despite the now obvious vulnerabilities. > > Essentially, you are exemplary of the reason is should be deprecated: > > People who share your beliefs about reverse put too much trust in it, they > > _depend_ on it in some way, and that is bad enough that we need to get rid > > of it. > > I put absolutely no trust in reverse DNS. However, I believe > that people should have the right to expect that reverse DNS will > mostly work, They have no right to ever expect this. This assumption is at root of most of the inappropriate use of reverse. > especially in cases where they control both ends of > certain transactions, This is also a false assumption. One never controls "both ends". An intruder may always be present in between, and might be attempting to spoof the fact that he is "one of the trusted ends". This is an inappropriate use of reverse for establishing trust. People (programmers and admins) must not do this. That fact that people like you insist on such inappropriate use is the harm caused by the existance of reverse. Programmers who rely on your beliefs cause everyone harm. > and where the applications are intelligent > enough to do a full forward-reverse-forward check to ensure that they > aren't being spoofed. There is no relationship between "full forward-reverse-forward check", and "[not] being spoofed". Yet, you assume (actually, you insist) there is. It is your assertion that is vacuous. You are revealing exactly the wrong assumptions and inappropriate use of reverse that require its removal. > Reverse DNS is not a three-wheeled ATV. It has important > real-world uses, and does not begin to pose the kinds of dangers that > you imply. That you fail to acknowledge the danger is obvious. That you are wrong is also obvious. That is the primary harm to the existance of reverse. I like reverse. Its convenient, when properly used. I don't depend on it for any "full forward-reverse-forward" checks to establish that I'm not being spoofed. > Until then, everything you've said is nothing but a pointless > repetition of the same old vacuous claims, and you're not going to > get very far. Actaully, you are the one making vacuous claims, as pointed out above. --Dean #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.