At 13:15 -0500 1/4/07, Dean Anderson wrote:
address by the machine initiating the query". This incorrect assertion
is at the very heart of the mistaken uses of 'reverse DNS as security
mechanism'. The correct answer to "what is supposed to be seen" is
_site_ dependent. Those who think there is some "universally correct"
answer have no legitimate foundation for that belief. They are really
just trying to impose their _site's_ practices on everyone else in the
belief that if everyone else did what they did, they could use reverse
DNS for security or anti-spam or some such. The ends, however, cannot
be achieved even if everyone were to adopt their practices. [ignoring
the fact that some sites cannot adopt those practices and have very good
reasons for their different practices.]
I can speak to the motivation of this because I think I was the one
that suggested the words.
The motivation had nothing to do with security. Your point is well
taken and I agree that there is little value in the reverse map in
providing security. (Arguably, some value, not enough to justify the
expense certainly.) But the vagueness ot the text is borne from
other observed uses of DNS, for example Akamization and what some
call "directional DNS". There are folks that purposefully answer
differently based on where a query comes from. It can be argued that
these folks are violating coherency and they can retort that no, they
are abusing dynamic update (with a wink). Whatever, it happens, and
we need to recognize reality and not try to argue theory.
The other scenario I had in mind was split-DNS, in which I answer
with more detail to my own machines than the Internet. Such as -
Inside: 8.88.888.202.in-addr.arpa PTR amadeus.perl.example.
Outside: 8.88.888.202.in-addr.arpa PTR machine888888.perl.example.
The "outside" isn't always to hide the inside machine's true
identity, but this makes transitions inside transparent to the
outside. Especially if the inside is using some kind of dynamic
update via DHCP and I just don't want to deal with that headache
outside my firewall.
I think you are right in discounting the notion of "universally
correct" answers. But if so, I would think you would even more agree
with the words as stated.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Dessert - aka Service Pack 1 for lunch.
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
