> > simple forward lookup offers no security at all.
> > reverse+forward checking is better than nothing.
>
> Only DNSSEC can help with 'simple forward lookup', and its out of
> scope here.
DNSSEC is forward/reverse agnostic.
what seems to be missing here is the underlaying
assertion that only one mapping is useful, eg.
the political mapping - that the topological mapping
is of minimal worth.
forward mapping (the name of the node) and reverse
mapping (where in the topology the node sits) are
complimentary functions. e.g.
trusting a node who claims to be, say icbm-launch-control.dod.mil.
might be reasonable if the IP address was in the range 215.0.0.0/8
while it would be more suspect if mapped to 66.198.41.0/24
yes, this does bring up whole other issues re routing and route
hijacking - but the point is that it is a simple and useful check
to check -BOTH- forward and reverse maps. Checking just one
is not in anyway a reasonable security check.
> >From the intended "security" perspective, the reverses must be checked
> from the forward tree (due do who controls the data), while forwards
> would only need to checked from the reverse tree if you'd believe the
> forward tree would be used for e.g. DoS misdirection attacks. And as
> you can do DoS attacks already, this shouldn't be a concern.
who controls what data? the end system gets to assert a name
regardless of what is in the forward tree. for packets to flow,
the node must be anchored in the topology and that requires some
ISP hand it an IP address.
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
