To:
George Michaelson <ggm@apnic.net>
Cc:
dnsop@cafax.se
From:
JINMEI Tatuya / $B?@L@C#:H(B
<jinmei@isl.rdc.toshiba.co.jp>
Date:
Sun, 23 Mar 2003 15:51:55 +0900
In-Reply-To:
<20030320050825.2c455c22.ggm@apnic.net>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.6.1 (Upside Down) Emacs/21.2 Mule/5.0 (SAKAKI)
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
>>>>> On Thu, 20 Mar 2003 05:08:25 +1000, >>>>> George Michaelson <ggm@apnic.net> said: > some people clearly want reverse. Few people who are providing > registration services, or writing applications, place much value in > it, but thats subjective. as long as its wanted, and community > supports the overheads, there is no reason to stop. but we do need > to be clear where the limits lie on what its offering. > I'll keep my subjective personal view that we should stop. Nothing > you said Ed, appears to contradict the reasons why I think that. I have sympathy for you on this, but stopping reverse (for IPv6) seems to me too radical to be accepted, and, in fact, has caused divergent discussion. I'm not sure if I can contribute to making this thread a bit more productive, but, IMO, a key issue is whether we should continue to rely on authentication / access control usage that reverse mapping provides. That include a simple check to see the existence of a reverse mapping and the "forward-reverse-forward" check. I believe everyone agrees that such a check is not very trustworthy and can easily be spoofed (at least without ubiquitous DNSSEC support). A controversial point would be that some people still believe in the "authenticity" provided by the DNS delegation hierarchy and/or believe "something is better than nothing". I also think we can agree that the additional check may cause a "denial of service" or a service delay for a legitimate (or at least not-bad) user. Of course, the additional check will also increase DNS traffic and the load of DNS servers, but, according to the discussion so far, it is quite controversial on how serious this is. So the question is if security benefits provided by reverse lookups outweighs the disadvantages. It would be nice If we can reach a consensus on this just by continuing the discussion here, but I cannot be that optimistic. I have no measurable evidence for or against the points, though. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.