One thing that popped for me during your presentation today, Andrew,
is that you say that the stupid things people are doing with the
reverse zone have to work. This isn't true. They don't have to
work. If they are stupid, they oughtn't to work. E.g., if your
ssh server is checking your reverse record to make sure you are who
you claim to be, it's kind of missing the point - it should be
checking your public key.
For me, the sole function of the reverse zone is as a hint for
figuring out who I'm talking to. There are two specific cases where
I find this particularly viable:
1. I want to find the forward pointer for a specific host so that I
can find additional information attached to it, in cases where I've
already decided the host I'm talking to is worth talking to based on
non-DNS mechanisms.
2. I am trying to figure out why and how something is broken, and
want a hint as to who is talking to me.
These are both very important uses to me, particularly the second.
In cases where there is no reverse entry, debugging gets a lot
harder. This is why I'm in favor of documenting and encouraging the
population of the reverse tree. I do not think that supporting
peoples' broken "authentication" schemes is a reason. I haven't
objected strenuously to the language in the document because I don't
think it actually encourages these schemes, and I think for
historical reasons it's useful to mention that such schemes are extant.
But they do not "have to work." And if you think that they do, you
may be unintentionally saying things based on that belief that are
setting off some of the people who are objecting to this document.
So it might be profitable to actively stop thinking that these
applications have to work - they really, really don't.
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
