On Thu, 4 Jan 2007, Joe Abley wrote:
>
> On 4-Jan-2007, at 13:15, Dean Anderson wrote:
>
> > In general, the DNS response to a reverse map query for an address
> > ought to reflect what is supposed to be seen at the address by the
> > machine initiating the query.
> >
> > There is no exact definition of "what is supposed to be seen at the
> > address by the machine initiating the query".
>
> I'm not sure I understand why you think this is a problem.
I suggest you review the (or your personal) archives of the in-addr
discussion. This was all discussed. I think you participated, if
memory serves.
> > The correct answer to "what is supposed to be seen" is
> > _site_ dependent.
>
> Assuming you mean the site responsible for the address concerned,
> then surely this presents no great problem.
That is exactly the problem. To refresh and review:
The debate is over "the right answer" given for reverse DNS queries.
The position of the "security/spam" crowd is that no reverse anwser is
wrong, and that if forward doesn't match reverse, that is also wrong.
They assert that matching forward/reverse imply security and
trustworthiness, at least for spam filtering.
The opposing position is that any PTR answer is optional, and that there
is no rule that says reverse and forward must match; that there are
cases where it is convenient and useful for forward and reverse not to
match. There are also very good reasons for having no reverse DNS (cost
being only one), and there is no reason for considering the absence of
matching forward/reverse to be insecure or untrustworthy. Further,
there is no inference of security when forward/reverse do match, and the
use of such an inference is itself a security _vulnerability_ that
should be highlighted as a _bad_ practice rather than encouraged.
PTR records are also more impractical in IPV6, certainly more expensive,
and there was some talk they may even be removed altogether in favor of
the HOSTINFO ICMP. [This is somewhat old, and I haven't checked this in
a while--there may be an update---I'll try to look into this next week.]
[NB: I rather favor the HOSTINFO ICMP approach, since the information is
always there and doesn't depend on DNS which may not be available during
a network outage. Network outages are when I find reverse DNS
information most helpful]
If I left out anything important in this short summary of a long
discussion, I apologize. Hopefully, this jogs your memory.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
