On Wed, Nov 05, 2014 at 12:50:42PM -0800, Paul Vixie wrote: > the lack of consensus means it can't be a proposed standard, not that it > can't be an FYI, BCP or similar, right?
AFAIK we were planning only for informational. The chairs called WGLC, it ran, there was some ranting, then some months later one of the chairs told me that they weren't sure what to do. To publish something as a WG document, you still need consensus to get it out of the group. > the fact of the network is, without a PTR you will have a hard time > originating TCP/25. we should say that. You'd think. Here's the fully-watered text on that topic that the WG still couldn't agree to: Some anti-spam systems use the reverse tree to verify existing reverse mapping, or to check for matching reverse mapping. Some mail servers have the ability to perform such checks at the time of negotiation, and to reject mail from hosts that do not have matching reverse mappings for their hostnames. These PTR checks sometimes include databases of well-known conventions for generic names (for example, PTR records for dynamically-assigned hostnames and IP addresses), and may allow complicated rules for quarantining or filtering mail from unknown or suspect sources. Even some very large ISPs are reported to refuse mail from hosts without a reverse mapping. Often, the reverse map check is not used on its own, but is used as part of a scoring system in an attempt to indicate the probability that a given email message is spam. > another fact is, not everyone who should be able to (non-maliciously) > access your web service will have a PTR. we should say that, too. Again, fully watered-down: Especially in the absence of strong anti-spoofing mechanisms, like the DNS Security Extensions, a check for matching reverse DNS mapping should be regarded as an extremely weak form of authentication. […] Reverse mapping tests can give the administrator a false sense of security. There is little evidence that a reverse mapping test provides much in the way of security (see above), and may make troubleshooting in the case of DNS failure more difficult. […] Applications should not rely on reverse mapping for proper operation, although functions that depend on reverse mapping will obviously not work in its absence. Operators and users are reminded that the use of the reverse tree, sometimes in conjunction with a lookup of the name resulting from the PTR record, provides no real security, can lead to erroneous results and generally just increases load on DNS servers. Further, in cases where address block holders fail to properly configure reverse mapping, users of those blocks are penalized. Re-reading it today, it seems to me the text was altogether milquetoast. A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
