Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreversefor IPv6.

[Dean Anderson <dean@av8.com>]

On Sun, 23 Mar 2003, Andras Salamon wrote:

> On Sat, Mar 22, 2003 at 01:35:24PM -0500, Dean Anderson wrote:
> > These issues have been addressed.  There are no "important uses" that are
> > appropriate for Reverse.  ANY use of reverse beyond a convenience function
> > is inappropriate, since those uses result in security vulnerabilities, or
> > log vulnernabilities.
>
> I agree that there are currently no appropriate uses for reverse DNS
> that can't be addressed in other ways.
>
> I disagree that because of this we should remove PTR records from the
> DNS protocol (which seems to be what Dean is advocating).  For all I

I am only advocating we drop Reverse from IPV6.  With regard to IPv4, I am
only advocating we make it deprecated, which will not affect any current
users, except to put them on notice that they shouldn't be using reverse
except for non-critical convenience functions, and that they should not
expect this functionality in IPv6.

As far as being "increasingly strident", my language clearly hasn't been
strident at all. I am not the one using the strident, ad hominem terms
like "boorish and rude".  Nor am I repeating exaggerated assertions such
as "removing reverse will break DNS", or increasingly insistent demands
that those of us advocating this `not talk about removing reverse until we
have completely removed it from our servers'. Such statements have no
value in a rational debate of issues. I have tried to avoid responding to
them, and instead try to bring clarity to the arguments for our position
on reverse DNS.  Where I have entertained the looping, it is for the
purpose of demonstrating the unswerving and irrational insistence of those
who harbor false assumptions on reverse DNS, and to demonstrate that as a
harm, not merely from an administrative aspect, but also and probably more
importantly, from a programming aspect.

Our position on Reverse is not motivated purely by the lack of utility of
Reverse---Just the opposite. I find reverse to be convenient. Nor is it
compelling that some administrators might abuse reverse.  The most
compelling harm, and the reason the WG should act, is the combination of
the determination of believers that reverse DNS can be used for
authentication, and the fact that programmers embed these assumptions into
software, which is not easily changed by the end users.  The WG should act
to avert this problem.

Complications for doing reverse in IPV6 contribute to this argument, which
makes it even more sensible to not do reverse in IPV6. Deprecation in
IPV4, as I noted, puts users and implementors on notice about how Reverse
should and should not be used, without actually removing that convenience
from IPv4 networks.

		--Dean


#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.