On Tue, 13 Feb 2007, Edward Lewis wrote: > At 14:33 -0500 2/13/07, Dean Anderson wrote: > > >draft, but that text was refused by the author. I think most people on > >the Working Group agree with the statements in my proposed text. > > Dean, > > How did you come to the conclusion that "most people on the Working > Group agree with" you on this? I point out that you say "most > people."
The past history of this document shows that most people do not agree with, say, Robert Story. Mans Nielson etc have favored the very first draft, and every draft since for several years. I think its funny that Andrew Sullivan just said that he's seen only one person agree with me. I count in this __recent__ discussion a very few people particpating, yet Ted Lemon and JINMEI Tatuya as posted comments in general agreement with my views. I think the history of discussion of this document shows that most people here agree with the following three statements: 1 DNS PTR records are entirely optional, and MUST NOT be assumed to exist. Software MUST NOT fail or incur delay as a result of the non- existance of PTR records. 2 Unauthenticated DNS MUST NOT be relied on for security or trust decisions. Even when DNSSEC is used to verify the authenticity of DNS records, matching reverse and forward records do not imply either improved security or trustworthiness over sites that either do not have reverse DNS or that do not have matching foward/reverse DNS. 3 DNS records MUST NOT be used in logs instead of IP addresses. Logging only the PTR resource records instead of the IP address is vulnerable, since attackers may have used long names that will either become truncated by many logging systems, or require upto 255 bytes to store. Logging both IP address and DNS PTR records may be helpful but one must also consider that the 255 byte per record space requirement does not become a DOS attack on the logging system. If most people agreed with say, Robert Story's views, the first draft would have been approved years ago. I don't mean to unduly pick on Mr. Story, but he is a sample representative of a certain camp that for years has been trying to promote a certain notion of reverse DNS, and that notion has been rejected in draft after draft for years and years. Each successive draft has become more and more vague, from near to Mr. Story's example of "dialup" to the current description which is entirely vague about whether these are rational uses or irrational uses. I think Ted Lemon spoke the historical view of the group in his response to Mr. Story. I think most people (in the group and in the world) think such reverse filtering is a non-starter. But if you think I'm wrong about what the group thinks, then I'd be more than happy to have a vote on the 3 paragraphs above. Such a vote could certainly promote some progress since then we might simply tell the editors that their document must be consistent with these three paragraphs or it won't be considered. And if the Group votes that those three paragraphs aren't true, then I would have to agree that there is no point in objecting to this draft (or any of the previous drafts), since the fundamental conditions for objection aren't supported by the Group. I have an alternative draft that I will submit shortly. It will include the 3 paragraphs above, plus additional material relevant to reverse DNS. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop