From: Mwendwa Kivuva <kiv...@transworldafrica.com> Date: Thursday, October 23, 2014 7:23 AM To: dnsop <dnsop@ietf.org> Subject: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers
> Refering to the draft by Lee Howard > https://tools.ietf.org/html/draft-howard-dnsop-ip6rdns-00 > > and given the weakness of the Reverse DNS access for security purposes, what > problem is this draft trying to solve? There is a common expectation that ISPs will populate PTR records for their customers. In my opinion, that is an unreasonable expectation, since ISPs do not have host names for customers, so they usually make up a name. That seems pretty useless to me. However, I don't think that is a consensus opinion, so it's not what the draft says. The problem I'm trying to solve is how to do that in IPv6. I think the recommendations do represent consensus: try to get host names and reverse zone under the same authority (whether home or ISP), or have the authority inform the other. If you can't do that, making something up is better than nothing, but not strictly required. > If we need to find the host that has sent an email associated with an > address, would we better let DKIM address that without a separate lookup in > the receiving server? DKIM detects email spoofing by using digital signature > allowing receiving mail exchangers to check that incoming mail from a domain > is authorized by that domain's administrators. Absolutely! It may be reasonable to say that all legitimate mail servers will have a PTR record that matches an A/AAAA record; that alone is not enough to decide that a sender is safe. The only mention in the draft is this: For instance, most email providers will not accept incoming connections on port 25 unless forward and reverse DNS entries match. If they match, but information higher in the stack (for instance, mail source) is inconsistent, the packet is questionable. These records may be easily forged though, unless DNSsec or other measures are taken. The string of inferences is questionable, and may become unneeded if other means for evaluating trustworthiness (such as positive reputations) become predominant in IPv6. I didn't specifically call out DKIM as one of those "other means for evaluating trustworthiness," but I could. Use of reverse DNS in email is only one use case for reverse DNS, and I agree that relying on it is, well, "questionable." Lee > > > Is there a better way to approach the problem? > > ______________________ > Mwendwa Kivuva, Nairobi, Kenya > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop