Re: comments on dnsop-ipv6-dns-issues-00

[Robert Elz <kre@munnari.OZ.AU>]

    Date:        Fri, 22 Nov 2002 09:56:45 +0100
    From:        Brad Knowles <brad.knowles@skynet.be>
    Message-ID:  <a05200f11ba03a0798758@[192.168.0.3]>

  | 	Do we have cryptographic evidence for this assumption?

Cryptographic evidence ?

But no, I haven't tried to measure it, but it is something that could be
measured.   I'm not sure it is important enough to bother with though.

  | Or are we just assuming that since we received a packet from a particular IP 
  | address that this claimed source must actually be alive?

No, of course not.   I'm assuming that most of the time it will be alive (for
genuine packets anyway, for spoofed packets, any kind of address->name lookup
is clearly a waste of time anyway).   But it isn't whether it is alive that
mattered, Otha-san's point was that it isn't necessarily possible to get
packets back to it, just because it can get packets to you - which is certainly
true.

My point was that that it is (I suspect) less likely to be able to get packets
to its in-addr.arpa DNS server, than the host itself.   If the host is sending
many packets then (spoofing and hacking aside) it is almost certainly getting
replies - or it would soon give up on sending.  Its in-addr.arpa server might
be anywhere (even if reachable, it may not be correctly configured).

  | 	Still, I think we need to provide some sort of reverse mechanism.

Why?

While I have no objections with allowing people to provide names for hosts on
their networks, one way or another, if they desire to, I can't think of any
particularly good reason why anyone would actually want to (the best one is
perhaps "because, it has always been done".  I certainly don't believe that
anyone should be expecting to be able to take someone else's address and
translate it into a name.

kre

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.