To:
Rob Austein <sra+dnsop@hactrn.net>
Cc:
dnsop@cafax.se
From:
Alain Durand <Alain.Durand@Sun.COM>
Date:
Mon, 07 Apr 2003 11:41:59 -0700
In-reply-to:
<20030402223212.5111218E1@thrintun.hactrn.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsop-inaddr-required-04.txt
On Wednesday, April 2, 2003, at 02:32 PM, Rob Austein wrote:
> So far we've heard from:
>
> - Ray, who pointed out some RIR-related (specifically, ARIN-related)
> text that needs some work;
>
> - Måns, who liked the draft and suggested adding text discussing IPv6;
>
> - Dean, who says that we should not be working on this draft.
>
> Does anybody -else- have comments on this draft? In particular: does
> anybody who has not yet spoken on this have an opinion on whether the
> WG should be working on this?
Catching up on e-mail in this wg...
I just read the draft, here are my comments:
1- This document should talk about IPv6 and suggest practices
that are viable in both world, v4 & v6 . Sentences like:
"Only IP addresses not presently in use within a block, or that are
not valid for use (zeros or ones broadcast addresses) are
permitted
to have no mapping." have a big impact on IPv6, as the address
space
is so large! See draft-dnsop-ipv6-dns-issues-02.txt
On the same line, the document should mention ip6.arpa as long as
in-addr.arpa.
2- The rationale why the reverse tree has to be populated is weak:
- checking reverse mapping is far from a good security mechanism
- doing log analysis on PTR records is not very good, better
alternative
exists
- export control based on PTR is, hum, questionable.
3- Several people have made the case that apps who rely on the
existence of PTR
are broken and should be fixed. Although I have some sympathy for
this argument, I consider it a long term goal. In the meantime,
there
is an operation issue when the reverse tree is not populated
correctly,
and I understand it would be good to RECOMMEND to populate it.
4- Not populating the reverse tree has different effects, depending
which part is
not populated and who suffer the consequences.
e.g:
- Mail relays with no PTR exposed themselves to big problems
- In Enterprise environment, some weak internal access control based
on PTR
is often deployed, failure to deploy PTR internally leads to IT
problems
- Home ISPs who fail to pre-populate the reverse for their customer
could
face high volume call on their help desk when customers can not
access
some FTP site that still do PTR enforcement.
- When PTR are not populated correctly for web proxies (and
transparent proxies)
Web server log analyst could arrive to bogus conclusion. What is
the point to discuss
5% vs 7% TLD access when 30% or more of the queries do not resolve?
It is unclear to me what the current draft is trying to optimize, who
gets the benefits
and who bares the cost.
So I would like to see this draft take another approach at the problem,
and issue more targeted recommendations with a softer language
(RECOMMEND vs SHOULD)
- Alain.
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.