To:
George Michaelson <ggm@apnic.net>
Cc:
dnsop@cafax.se
From:
JINMEI Tatuya / �$B?@L@C#:H�(B
<jinmei@isl.rdc.toshiba.co.jp>
Date:
Sun, 23 Mar 2003 15:51:55 +0900
In-Reply-To:
<20030320050825.2c455c22.ggm@apnic.net>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.6.1 (Upside Down) Emacs/21.2 Mule/5.0 (SAKAKI)
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
>>>>> On Thu, 20 Mar 2003 05:08:25 +1000,
>>>>> George Michaelson <ggm@apnic.net> said:
> some people clearly want reverse. Few people who are providing
> registration services, or writing applications, place much value in
> it, but thats subjective. as long as its wanted, and community
> supports the overheads, there is no reason to stop. but we do need
> to be clear where the limits lie on what its offering.
> I'll keep my subjective personal view that we should stop. Nothing
> you said Ed, appears to contradict the reasons why I think that.
I have sympathy for you on this, but stopping reverse (for IPv6) seems
to me too radical to be accepted, and, in fact, has caused divergent
discussion.
I'm not sure if I can contribute to making this thread a bit more
productive, but, IMO, a key issue is whether we should continue to
rely on authentication / access control usage that reverse mapping
provides. That include a simple check to see the existence of a
reverse mapping and the "forward-reverse-forward" check.
I believe everyone agrees that such a check is not very trustworthy
and can easily be spoofed (at least without ubiquitous DNSSEC
support). A controversial point would be that some people still
believe in the "authenticity" provided by the DNS delegation hierarchy
and/or believe "something is better than nothing".
I also think we can agree that the additional check may cause a
"denial of service" or a service delay for a legitimate (or at least
not-bad) user.
Of course, the additional check will also increase DNS traffic and the
load of DNS servers, but, according to the discussion so far, it is
quite controversial on how serious this is.
So the question is if security benefits provided by reverse lookups
outweighs the disadvantages.
It would be nice If we can reach a consensus on this just by
continuing the discussion here, but I cannot be that optimistic. I have
no measurable evidence for or against the points, though.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jinmei@isl.rdc.toshiba.co.jp
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.
Home |
Date list |
Subject list