I've done a little more digging on the Kerberos use case. Here's an email thread from discussion whether to change the default behavior: http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html
The one person who explained his use cases also later said (in all caps) he knew it needed to change eventually. And here's the RFC saying it's wrong: rfc4120 (from that thread). Lee From: George Michaelson <g...@algebras.org> Date: Wednesday, November 12, 2014 6:07 AM To: Dan York <y...@isoc.org> Cc: Warren Kumari <war...@kumari.net>, Lee Howard <l...@asgard.org>, DNSOP WG <dnsop@ietf.org> Subject: Re: [DNSOP] Using PTRs for security validation is stupid > The irony in SSH is that its a two way strongly authenticated connection. > (assuming you do client keys) -So perhaps the sense of the story is that where > proof-of-identity is innately part of the exchange, it makes little sense to > deploy a barrier to entry like PTR checking, since you are using significantly > better protections against the wrong person being given access. > > PTR records permit IP address administrators with access to DNS configurations > to associate DNS names with their addresses. The informative value this has > should not be conflated with any stronger checks, and adds little to the > decision to accept a connection to a service beyond the log value of the > address holders assertion. If you chose to demand a forward-reverse > association to exist, you are very likely to exclude access in situations you > did not wish to. > > -G > > On Wed, Nov 12, 2014 at 5:59 AM, Dan York <y...@isoc.org> wrote: >> Lee, >> >> Warren, in his own unique style, made a point that I was wondering about... >> >> On Nov 11, 2014, at 9:30 PM, Warren Kumari <war...@kumari.net> wrote: >> >>>> I heard applause during the WG meeting in response to these statements; >>>> sounded like consensus to me. I said I would check that consensus on list. >>> >>> I think that there is consensus that it is stupid. There is also >>> consensus that using a fork to get the stuck toast out of the toaster >>> is a bad idea -- however.... >> >> ... namely that I think probably all of us on the list can agree 100% that >> having SSH servers reject connections from IP addresses without PTRs is >> stupid. I haven't seen anyone chime in publicly that they think it *is* a >> good idea... and I doubt we will. >> >> But now what? >> >> I'm not sure that there's necessarily a whole lot of value in us coming out >> with a document "Using PTRs To Reject SSH Connections Considered Harmful" - I >> don't know that our doing so will necessarily motivate the authors of SSH >> servers to change anything. Certainly I think the SSH case could be listed in >> your document of bad things people do with PTRs in IPv4 that will break in >> IPv6. >> >> Where are you trying to go with this note about consensus? >> >> A bit puzzled, >> Dan >> >> -- >> Dan York >> Senior Content Strategist, Internet Society >> y...@isoc.org +1-802-735-1624 <tel:%2B1-802-735-1624> >> Jabber: y...@jabber.isoc.org >> Skype: danyork http://twitter.com/danyork >> >> http://www.internetsociety.org/deploy360/ >> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
