On 2004-11-22 07:57:44 -0500, John Peacock wrote: > David Nicol wrote: > ><mode aspect="visionary" mood="frustrated"> > > > >DNS would work better for this since it has well-defined caching, > >unlike VRFY, but adding a local cache would also work well, and > >nobody wants to muck with custom DNS servers that much > > > ></mode> > > I have to say that this is completely daft (IMNSHO). This is yet another > precarious layer to the house of cards that people have made DNS
I won't debate that, but ...
> In addition, using DNS for user validation would make dictionary attacks
> practical again, since DNS is a public service by default. Both my
> implementation of VRFY and my finger server specifically were designed to
> allow only specified hosts to access the data. Yes, I know you could run a
> second authoritative DNS server, but that immediately loses what little
> benefit to using an existing framework by having to provide parallel
> services.
You don't need a second authoritative DNS server, just ACLs on the zone
with the email addresses:
zone "_vrfy.example.com" {
allow-query {
mx1;
mx2;
}
}
in bind. for <[EMAIL PROTECTED]>, an RR for joe._vrfy.example.com would
then be queried.
hp
--
_ | Peter J. Holzer | Je h�her der Norden, desto weniger wird
|_|_) | Sysadmin WSR | �berhaupt gesprochen, also auch kein Dialekt.
| | | [EMAIL PROTECTED] | Hallig Gr�de ist fast g�nzlich dialektfrei.
__/ | http://www.hjp.at/ | -- Hannes Petersen in desd
pgp9D2hGmNMFT.pgp
Description: PGP signature
