I was referring specifically to the use of reverse DNS as a pseudo-authentication mechanism. Kick out that crutch, and the folks who were using it will gravitate towards legitimate, crypto-based authentication mechanisms (which hopefully should be independent of the underlying -- IPv4 versus IPv6 -- protocol suites). Carry end-node reverse DNS forward into the IPv6 world, and you'll *never* get rid of the bogus authentication mechanisms...

- Kevin

Jessica Little wrote:

<2cents>

Start anew?!?...

IMO, There's been a lot of progress, IPv6 wrt DNS, etc., Unfortunately, the Foo Factor, can manifest itself at all levels and stages
of the process... and cannot be always avoided by starting over...
</2cents>


JL

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Darcy
Sent: Friday, March 21, 2003 12:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [RETRANSMIT] Re: Radical Surgery proposal: stop doingreverse
for IPv6.

Brad Knowles wrote:



At 6:18 PM -0500 2003/03/20, Kevin Darcy wrote:



You claim that reverse DNS causes harm. Can you provide evidence
for this claim?


The (un-Kerberized) versions of the "r-series" commands harm security
infrastructure, and reverse DNS enables them to function.


So, we should break reverse DNS just so that r-commands don't work? Excuse me?!? Do you recommend killing the patient just so that you don't have to deal with their hangnail problem?!?

I'm sorry, just because some morons choose to leave themselves open to the r-command problem is not sufficient justification for no longer doing reverse DNS.


Not in and of itself, no, but our increased, multi-decade knowledge of the uses and abuses of reverse DNS does alter the original cost-benefit analysis'es inputs, to the point where reverse DNS now seems like more pain than gain, at least with respect to end-nodes, and/or at least with respect to IPv6, which is going to increase the "pain" without any corresponding anticipated increase in "gain". So maybe it's time to let go of the old baggage and start anew.


- Kevin




#---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.








#---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.

Reply via email to