On Tue, 13 Feb 2007, Edward Lewis wrote:
> At 14:33 -0500 2/13/07, Dean Anderson wrote:
>
> >draft, but that text was refused by the author. I think most people on
> >the Working Group agree with the statements in my proposed text.
>
> Dean,
>
> How did you come to the conclusion that "most people on the Working
> Group agree with" you on this? I point out that you say "most
> people."
The past history of this document shows that most people do not agree
with, say, Robert Story. Mans Nielson etc have favored the very first
draft, and every draft since for several years.
I think its funny that Andrew Sullivan just said that he's seen only one
person agree with me. I count in this __recent__ discussion a very few
people particpating, yet Ted Lemon and JINMEI Tatuya as posted comments
in general agreement with my views.
I think the history of discussion of this document shows that most
people here agree with the following three statements:
1 DNS PTR records are entirely optional, and MUST NOT be assumed to
exist. Software MUST NOT fail or incur delay as a result of the non-
existance of PTR records.
2 Unauthenticated DNS MUST NOT be relied on for security or trust
decisions. Even when DNSSEC is used to verify the authenticity of
DNS records, matching reverse and forward records do not imply either
improved security or trustworthiness over sites that either do not
have reverse DNS or that do not have matching foward/reverse DNS.
3 DNS records MUST NOT be used in logs instead of IP addresses.
Logging only the PTR resource records instead of the IP address is
vulnerable, since attackers may have used long names that will either
become truncated by many logging systems, or require upto 255 bytes
to store. Logging both IP address and DNS PTR records may be helpful
but one must also consider that the 255 byte per record space
requirement does not become a DOS attack on the logging system.
If most people agreed with say, Robert Story's views, the first draft
would have been approved years ago. I don't mean to unduly pick on Mr.
Story, but he is a sample representative of a certain camp that for
years has been trying to promote a certain notion of reverse DNS, and
that notion has been rejected in draft after draft for years and years.
Each successive draft has become more and more vague, from near to Mr.
Story's example of "dialup" to the current description which is entirely
vague about whether these are rational uses or irrational uses. I think
Ted Lemon spoke the historical view of the group in his response to Mr.
Story. I think most people (in the group and in the world) think such
reverse filtering is a non-starter.
But if you think I'm wrong about what the group thinks, then I'd be more
than happy to have a vote on the 3 paragraphs above. Such a vote could
certainly promote some progress since then we might simply tell the
editors that their document must be consistent with these three
paragraphs or it won't be considered. And if the Group votes that those
three paragraphs aren't true, then I would have to agree that there is
no point in objecting to this draft (or any of the previous drafts),
since the fundamental conditions for objection aren't supported by the
Group.
I have an alternative draft that I will submit shortly. It will include
the 3 paragraphs above, plus additional material relevant to reverse
DNS.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
