On 22 Nov 2004, at 12:57, John Peacock wrote:
In addition, using DNS for user validation would make dictionary attacks practical again, since DNS is a public service by default.
Only in the same way that a RCPT TO check is. i.e. a DNS database doesn't automatically mean you can freely download the entire list - that's only possible with AXFR, and you only allow that to hosts you AXFR to.
(I feel mixed on the idea of storing user data in DNS - it's a nice free distributed DB, and very fast, but LDAP is probably more appropriate. I just wish OpenLDAP were better)
Matt.
