To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
cc:
dnsop@cafax.se
From:
Dean Anderson <dean@av8.com>
Date:
Sun, 23 Mar 2003 14:41:55 -0500 (EST)
In-Reply-To:
<200303222219.HAA02303@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: I think we're looping (fwd)
On Sun, 23 Mar 2003, Masataka Ohta wrote: > Dean; > > > There seems to be no point in further debate for the purpose of convincing > > people of these harms. > > There is a forward movement in IPv6 WG that site local > addresses are about to be deprecated. > > The next step is removal of link local addresses and > autoconfiguration stuff. Does this eliminate the need for reverse lookups? > > I further agree that some people wholeheartedly believe that one can use > > reverse for "full reverse-forward-reverse" checks, even though the harm of > > this has been demonstrated to reasonable people. > > You are effectively arguing that forward DNS look up is > harmful. I am not arguing that at all. I think you have misunderstood. The harm of "full reverse-foward-reverse" check is that its proponents make an assumption that if this check "matches", then there is some authenticity to the response. As we know, there are no valid authenticators involved. Both responses could easily be faked. If one utilizes this so-called authentication method, security is compromised. Under no cirumstances can DNS be used as an authenticator. --Dean #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.