On Mon, Mar 19, 2007 at 06:25:54PM +0100, Ted Lemon wrote: > One thing that popped for me during your presentation today, Andrew, > is that you say that the stupid things people are doing with the > reverse zone have to work. This isn't true.
Yikes. If that's the way I put it, my apologies; it certainly isn't true. What I think _is_ true (and what I was meaning to say) is that some people say that some uses of the reverse tree are useful for them. In order for those uses to work, the reverse lookups have to work. Or, to put this another way, for the reverse tree to be widely useful, it has to be fairly widely implemented; and to the extent people stop implementing reverse mappings, the reverse tree in general gradually becomes less useful. > They don't have to work. If they are stupid, they oughtn't to work. > E.g., if your ssh server is checking your reverse record to make > sure you are who you claim to be, it's kind of missing the point - > it should be checking your public key. I believe that there are cases where people apparently believe they are getting authentication via reverse mappings. Your example of using the matching reverse to authenticate an ssh connection would be an absurd but clear example of this. Some of those uses are, of course a historical accident. Some such uses are, I agree, also stupid, and they indeed need not work. But there are some controversial uses where some people claim checking for matching or existing reverse mappings is useful even as others say emphatically that the check is bad, evil, wrong, or just silly. The obvious case is disagreement on using reverse mapping as a hint in spam-candidate scoring. Some users report that, based on the analysis of their own traffic, some sort of reverse mapping test is a useful indicator. Others correctly point out that such a rule runs the risk of false positives and also does not catch all spam. My (editorial) view on this is that, given there are uses where some people who understand the limitations of the facility nevertheless claim there is utility in their own case, in the absence either of numbers to show that the wrong empirical conclusion has been drawn or that the use case is implicitly broken, then such a use is not obviously stupid. (It is also my personal, non-editor opinion that part of the strength of the Internet comes from the way that such decisions can be made on a case by case basis at the edges, according to the uses that network administrators find for themlselves, assuming those administrators are correctly informed about the consequences of those decisions.) So, the intent of the text is precisely to say, on the one hand, that someone who is trying to use reverse mappings needs to understand the limitations of the implementations on the Internet; and on the other hand, that network operators should implement the reverse mappings in the absence of strong counter considerations, because the implementation is needed for these various use-cases to work. Does that clarify my remark? -- Andrew Sullivan 204-4141 Yonge Street Afilias Canada Toronto, Ontario Canada <[EMAIL PROTECTED]> M2P 2A8 jabber: [EMAIL PROTECTED] +1 416 646 3304 x4110 _______________________________________________ DNSOP mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dnsop
