-----BEGIN PGP SIGNED MESSAGE----- Dean Anderson wrote: > So far, DNSSEC doesn't solve this problem. I don't think the > reverse DNS problem is intended to be solved by DNSSEC. IMHO "reverse" is just the same as ordinary domains. Where DNS is a phonebook for internet name mappings. > Quick poll: Does anyone actually think that DNS can be made globably > invulnerable, and positively trusted, yet usable? I trust on the word of Miek Gieben and as he says it is so, I have to go with that it will be trusted and usable. > DNSSEC won't solve a number of problems of intentional false > information. You won't be able to 'spoof' anymore, which solves the intentional false information part. > It only works in cooperative environments, and is limited in > many ways. Everything is based on cooperation, nobody is 'forced' to implement a specification and people can invent their own etc. You might want to followup to the dnssec-wg why you think it is limited btw. <SNIP> > Also, logs should definitely NOT be using reverse DNS. This > is one of the many improper uses of Reverse DNS. > One must always log the IP address. If > you have a lot of extra time, and space in the log, the > current value of the reverse lookup may be interesting, > but it it not meaningful. > Implementors are starting to get a clue: I've noticed that > the UTMP on several platforms only stores the IP address for IPv6. > Many a breakin has been hard or impossible to trace due to improper > use of reverse DNS in logging. I realize that all too well, unfortunatly some don't: http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 (Check the dates btw :) They should log both the IP and the reverse. > Sometimes it is impossible to detect! How do you > know that the access from > the_very_long_host.another_long_zone.some_doma---oops, out of > space for hostname--was unauthorized? Anonymous Mail Relay > abuse was made possible because the early SMTP implmentors > didn't put the IP address in the Recieved header, but the > reverse DNS, which we subsequently found out to be useless. Reverses should be checked with the forward mapping ofcourse. If both of these answers come in over DNSSEC then you are 100% sure that this host has this name. But still one wants to log the IP because DNS-TTL later the hostname is out of your cache and possibly out of the entire DNS system. > and includes _everthing_ (that I've heard of) except for > traceroute, which is using reverse DNS only for what amounts > to transient pretty printing. Traceroute doesn't check the forward beloning to a reverse and I have seen an number of jokers using 'nice' hostnames next to that there are very easy ways of spoofing traceroutes, rotorouter anyone ?:) > Anyway, this is getting afield a little for the IETF list, > and probably belongs on one of the DNS lists. Ack. > Perhaps all that is important is to remember that "properly configured > Reverse DNS" includes having no reverse DNS at all. Ack. Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/ iQA/AwUBP5CNYCmqKFIzPnwjEQJwvACghPgsX8dPkJ6shPG7OGccdp5dDQQAnjpo HWwqKUUDkL0M3xRa7kyCIO43 =rCiF -----END PGP SIGNATURE-----