Re: What problem were we trying to solve again? (was Re:Radical

[Brad Knowles <brad.knowles@skynet.be>]

At 6:40 PM -0500 2003/03/27, Dean Anderson wrote:

>  That would be fine, except that some people like Vixie and others tend to
>  write software that puts reverse map entries in log files.

	You seem to be saying that the one and only security 
vulnerability these days is reverse DNS.  In fact, there are many 
modern security vulnerabilities.  Even if the IP address were 
provided in all possible cases, IP addresses can be spoofed.  Buffer 
overflows can result in bogus IP addresses being logged.  Off-by-one 
errors can cause incorrect IP addresses to be recognized.  Insecure 
applications elsewhere on the machine can result in a local redirect 
that makes the connection appear to come from the machine itself (or 
elsewhere on the local network).

	There are plenty of security vulnerabilities around.  Paul Vixie 
is certainly not the only programmer in the world, and I'm sure that 
he's made a few programming errors which resulted in security 
vulnerabilities.  However, I don't see any justification for publicly 
vilifying him as one of the biggest "criminals" responsible for 
creating security vulnerabilities, when in fact, you have provided no 
evidence that he has participated in this kind of short-sighted 
programming in recent history, and in fact has been one of the best 
champions we've got for improving security in code related to the DNS.

>                                                              Then
>  consultants go in and try to figure out who rooted a server, and find
>  bogus reverse entries, and no IP addresses.

	That's the fault of the people who wrote the program which failed 
to record both the IP address(es) and the reverse DNS data.  This is 
not the fault of Paul Vixie, or BIND.

>                      They also mislead people about the use of reverse, so
>  that your assertion (according to them, anyway) that "no one is forcing
>  [me] to populate reverse maps" is false.

	Who misleads people?

>  The rest of your argument seems to be completely IPV4 specific. We are
>  talking about an IPV6 problem. There are no reverse maps for IPv6, and
>  there are problems creating them.

	So, you're saying that ip6.arpa and ip6.int don't exist?  I don't think so.

>                                     There is also no need (for tools like
>  traceroute) in IPv6 to have reverse because there are alternatives such as
>  ICMP node identification.

	Do you honestly think that anyone is going to let ICMP 
information escape their network?  Do you bother to monitor the NANOG 
mailing list?  It seems like every week we hear about yet another 
network that is being stupid and using large packet sizes and Path 
MTU discovery, but are blocking all forms of ICMP at their border 
that would allow PMTUd to actually function correctly.

	Many, many more networks selectively block ICMP, allowing only 
those bits that are needed to support PTMUd, and blocking all other 
forms of ICMP -- which breaks most implementations of traceroute.


	ICMP may be sufficient within a particular network or subnetwork, 
but you can't count on it beyond the first router.  Other means have 
to be used to bridge that gap.

	Now, maybe reverse DNS isn't the best way to do that, but that's 
a different discussion.

>  The people who feel so strongly for reverse want us to undertake
>  considerable effort to make reverse work in IPV6, including eliminating
>  certain structure.

	Eliminating what structure?  Where have I (or anyone else) 
advocated "eliminating" anything in favour of reverse DNS?


	Personally, I don't want you to do anything you don't want to do.

	If you don't want to do reverse DNS, then you should have that 
option.  However, I do not feel that you should have the power to try 
to force other people to follow your same philosophy.

>                     This is a waste of time, for the harms given, and for
>  the reason that there are adequate alternatives in IPV6.

	Please prove this assertion.



	And if this message results in my being filtered by Randy, then 
so be it.  I am trying very hard to be a "good boy" and stay out of 
this argument as much as possible, but there are some things I just 
can't leave unsaid.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.