To:
dnsop@cafax.se
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Mon, 24 Mar 2003 12:28:19 -0500
Sender:
owner-dnsop@cafax.se
Subject:
RE: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse for IPv6.
Jim Reid wrote : > Reverse DNS does [have] uses, even for IPv6. They are not necessarily > related to authentication. When reverse lookups of the hosts sending > me email don't work, this is almost always an indication of spam. It > would be nice to use this heuristic as the first line of defence > against spam in an IPv6 world. Exactly. Reverse DNS does provide a useful non-security function that cannot easily be provided in any other way, when I can force my MTA to bounce e-mails with an envelope sender of "bgpugsley@$FREEMAIL.com" but a source IP address that reverses to "lsanca1-ar16-4-46-004-002.lsanca1.$BIGILEC.net". This is not a security-relevant feature, but it is a quite useful one. I'd prefer to be able to receive e-mails from valid $FREEMAIL users *and* to be able to receive e-mails from folks with DSL connections through $BIGILEC, while blocking folks who are forging headers/senders. Reverse DNS does allow me a good capability to do that, as a countermeasure for folks who are spamming from home or (ab)using misconfigured home/SOHO systems with good bandwidth. Dean, since this functionality works today (and works rather well for me as one part of a multi-layer filtering system), I would suggest that if you believe it is dangerous then you work to improve the functionality or the documentation--rather than removing the functionality. Or do you not consider the above to be a reasonable use of reverse DNS lookup? --Rip There are some things that man was not meant to know...for everything else, there's DNS. (okay, I'm joking.) #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.