On Mon, 17 Mar 2003, M�ns Nilsson wrote: > > ==> one might note that in the case of reverse DNS lookup where a wildcard > > would be returned (the lazy/pragmatic ISP scenario), the result would be > > worthless anyway (ie. not useful as a security mechanism). So this may be > > a protocol concern, but not really an operational one as far as I can see. > > But handing out a reverse answer is sometimes a performance boost, keeping > old broken (but v6-aware) servers from timing out on a DNS reverse query. > Sounds operational to me.
I agree with you on this aspect of operational. I should have been more verbose. What I was mainly referring to was the argument why a wildcard reverse DNS would not cut it: it doesn't work with DNSsec, or that it's operationally "evil". My counter-argument are that: 1) DNSsec is unnecessary, even dangerous, with dummy records which have no security properties. If those *were* securable, people would just misuse them. Remember, we're discussing something with a poiinter to a.b.c.d.dynrev.arpa or a.b.c.d.foo.com, where a.b.c.d is the IP address. (PTR to bar.foo.com would be different, but *real* population of reverse records was an entirely differnet issue.) 2) operators who don't provide reverse-IP records, or don't delegate them, can be considered evil anyway. They're lazy/pragmatic/what have you; you just have to pick between two evils, and a wildcard one may be a lesser one (but this probably should be analyzed a bit more). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
