Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 5:37 PM, Tony Hain wrote: > It may > be worth pointing out that cpu cycles are cheap, and that the time / > networking resources needed to do a ptr check may now exceed the cost of > just accepting all connection attempts. That makes sense. ___

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Tony Hain
Ted Lemon wrote: ... > 3. For ssh, PTR records are completely useless, so there is no reason to add > them to address this use case. > I am not trying to justify their use, and have no specific knowledge about how the practice got started, but would observe that 15+ years ago a ptr existence check

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 3:05 PM, Antonio Querubin wrote: > Actually it is. I'm on the nat64 network and my address maps back to > nat64.meeting.ietf.org. That's the IPv4 address. I was mistakenly thinking I was using an IPv6 address. :) ___ DNSOP mail

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Antonio Querubin
On Wed, 12 Nov 2014, Ted Lemon wrote: It is not doing this for IPv6 web queries (the IETF network isn't doing PTR records, and I'm on the nat64 network, so not going to the IPv4 www server). Actually it is. I'm on the nat64 network and my address maps back to nat64.meeting.ietf.org. -- An

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 3:00 PM, Ted Lemon wrote: > It is not doing this for IPv6 web queries (the IETF network isn't doing PTR > records, and I'm on the nat64 network, so not going to the IPv4 www server). Hm, I guess the IPv6 address I got for nytimes was a NAT64 address. Nevermind. __

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 11:11 AM, Paul Ebersman wrote: > Not sure if it's still the case but did confirm a couple of years ago > that NYT web access breaks if you don't have some kind of PTR. Doesn't > matter what's in it; you just need non-NXDOMAIN response. It is not doing this for IPv6 web queries

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Brian Dickson
Sent from my iPhone > On Nov 12, 2014, at 1:26 PM, Mark Andrews wrote: > > > In message > , Brian > Dickson writes: >> >> IIRC, there is support for generic-named types similar to BIND's record >> type name/number thing. > > It is RFC3597 format not "BIND's record name/number thing". Yes

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Mark Andrews
In message , Brian Dickson writes: > > IIRC, there is support for generic-named types similar to BIND's record > type name/number thing. It is RFC3597 format not "BIND's record name/number thing". > The RRTYPE would be a given a name which is something like "rrtype", > and numeric value

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Lee Howard
I've done a little more digging on the Kerberos use case. Here's an email thread from discussion whether to change the default behavior: http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html The one person who explained his use cases also later said (in all caps) he knew it needed to ch

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Vixie
> Bob Harold > Wednesday, November 12, 2014 1:41 PM > > > It looks to me like NYT only has IPv4, so there might be a PTR on the > IPv4 that your IPv6 gets translated to? all my home clients are dual-stack v4/v6. (i was comcast's first native dual-stack customer, yay m

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Bob Harold
On Wed, Nov 12, 2014 at 4:35 PM, Paul Vixie wrote: > ... > > Not sure if it's still the case but did confirm a couple of years ago > that NYT web access breaks if you don't have some kind of PTR. Doesn't > matter what's in it; you just need non-NXDOMAIN response. > > > fwiw, none of my home ipv6

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Jay Daley
There are basically two approaches to handling new record types in any 'DNS language' definition: 1. Have a good extension mechanism built in; or 2. Issue an updated language specification each time a new record is agreed. Personally I think 2 is a big step backwards and 1 is much easier if th

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Vixie
> Paul Ebersman > Wednesday, November 12, 2014 1:11 PM > ... > > Not sure if it's still the case but did confirm a couple of years ago > that NYT web access breaks if you don't have some kind of PTR. Doesn't > matter what's in it; you just need non-NXDOMAIN response

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Mehmet Akcin
Second this. Also please do a brief wikipedia search before picking the next name?. Mehmet > On Nov 12, 2014, at 11:27 AM, Phillip Hallam-Baker > wrote: > > Can we change the name, please? > > Spartacus Club was the name of the pedophile rapist organization at > the center of the on ongoing

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Wouters
On Wed, 12 Nov 2014, George Michaelson wrote: I would be asking anyone who says VerifyReverseMapping on by default, and  VerifyHostKeyDNS likewise, should justify their position. VerifyHostKeyDNS is about using SSHFP records in DNS. There is a clear benefit unless you want to make a phone call

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Phillip Hallam-Baker
Can we change the name, please? Spartacus Club was the name of the pedophile rapist organization at the center of the on ongoing UK criminal enquiry involving 8 MPs and three police forces. There is also an international dimension. There is a significant probability it is going to become a PR lia

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread George Michaelson
I would be asking anyone who says VerifyReverseMapping on by default, and VerifyHostKeyDNS likewise, should justify their position. Because the collective wisdom I'm seeing here is that its a false benefit, and considering what SSH is, and what it seeks to do its rather sad to be driven down a str

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Ebersman
paul> Actually, distros try to use a dir.d/*.conf type structure these paul> days for exactly this reason. It allows base options that are paul> untouched to be upgraded even if there are custom user paul> options. openssn is one of those that unfortunately does not paul> support that. Thanks for

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Ebersman
ebersman> There is the NYT web site case and may be others. TLemon> 'splain? I'm not finding anything with google. Not sure if it's still the case but did confirm a couple of years ago that NYT web access breaks if you don't have some kind of PTR. Doesn't matter what's in it; you just need non

Re: [DNSOP] Spartacus and new record types

2014-11-12 Thread Brian Dickson
IIRC, there is support for generic-named types similar to BIND's record type name/number thing. The RRTYPE would be a given a name which is something like "rrtype", and numeric value associated with the name, which is . The RDATA would be encoded as a specified-length base-64 encoded bina

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Wouters
On Wed, 12 Nov 2014, Paul Ebersman wrote: Yup... There is discussion in a couple of distro web sites on changing this default but while most novice sysadmins will tend to use distros, if they upgrade, it doesn't stomp the /etc files. That's usually a feature. In this case, it means we're going t

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Wouters
On Wed, 12 Nov 2014, Lee Howard wrote: You've combined issues. Mail servers rejecting mail from unmanaged networks (such as houses) is a feature. There is no such thing as a "mail server". There are hosts on the internet, and some of them send and receive email. Access Providers love restrict

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 8:58 AM, Paul Ebersman wrote: > There is the NYT web site case and may be others. 'splain? I'm not finding anything with google. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] PTR usage cases for networking Re: Using PTRs for security validation is stupid

2014-11-12 Thread Paul Ebersman
ogud> The usage case that got brought up at the mike ``PTR records are ogud> used by logging systems''  got me thinking ``when does a logging ogud> system need this information''  and the answer is I think ``when a ogud> human is looking at the log'' in all other cases if the system is ogud> runni

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Ebersman
TLemon> There may be some other reason why a bogus PTR record is better TLemon> than no PTR record, but we are at present not aware of such a TLemon> reason. There is the NYT web site case and may be others. In the past, ISPs have just pre-populated v4 PTRs because it wasn't hard to do in config

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 5:59 AM, Dan York wrote: > Where are you trying to go with this note about consensus? I will not speak for Lee, but where I would _like_ him to go is to simply point out the reasons why policies like this don't make sense. We don't even need to tell people not to do it; ju

Re: [DNSOP] PTR usage cases for networking Re: Using PTRs for security validation is stupid

2014-11-12 Thread Doug Barton
On 11/12/14 9:48 AM, Olafur Gudmundsson wrote: The usage case that got brought up at the mike “PTR records are used by logging systems” got me thinking “when does a logging system need this information” and the answer is I think “when a human is looking at the log” in all other cases if the syste

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 6:37 AM, Paul Ebersman wrote: > Yup... There is discussion in a couple of distro web sites on changing > this default but while most novice sysadmins will tend to use distros, > if they upgrade, it doesn't stomp the /etc files. That's usually a > feature. In this case, it means

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Ted Lemon
On Nov 12, 2014, at 6:33 AM, John Kristoff wrote: > Which ones? OpenSSH does not. It has a 'UseSSH' option that is often > enabled by default, but all this does is log a message if the PTR name > of the client address doesn't match the address when the name is then > resolved. Dropbear has it d

Re: [DNSOP] PTR usage cases for networking Re: Using PTRs for security validation is stupid

2014-11-12 Thread Richard Clayton
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message <76f43494-b863-4e1e-ad5d-29e34b650...@ogud.com>, Olafur Gudmundsson writes >Thus I would say the usage case is “a log processing tool MAY do PTR lookups” >the real information about addresses can be extracted from other sources as >well

Re: [DNSOP] New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Mark Andrews
In message , Tony Finch writes: > Paul Hoffman wrote: > > > > > I thought the idea of validating the zone transfer before putting the zone > > > live was interesting. I could probably lash up a script to do that along > > > the lines of the following, though it also needs to check the KSK matche

Re: [DNSOP] PTR usage cases for networking Re: Using PTRs for security validation is stupid

2014-11-12 Thread Andrew Sullivan
On Wed, Nov 12, 2014 at 07:48:19AM -1000, Olafur Gudmundsson wrote: > Thus I would say the usage case is “a log processing tool MAY do PTR lookups” There's no reason to suppose that the name a source has at the time you look at the log is the one that it had when it performed the action. I think

[DNSOP] PTR usage cases for networking Re: Using PTRs for security validation is stupid

2014-11-12 Thread Olafur Gudmundsson
On Nov 11, 2014, at 5:48 PM, Lee Howard wrote: > Many SSH servers (by default) reject connections from IP addresses without > PTRs. > This is stupid. > > I heard applause during the WG meeting in response to these statements; > sounded like consensus to me. I said I would check that consensus o

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Lee Howard
On 11/11/14 9:30 PM, "Warren Kumari" wrote: >On Tue, Nov 11, 2014 at 5:48 PM, Lee Howard wrote: >> Many SSH servers (by default) reject connections from IP addresses >>without >> PTRs. >> This is stupid. >> > >dun't matter if it is stupid or not. dun't really matter if requiring >PTRs for mail

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Paul Ebersman
kumari> I think that there is consensus that it is stupid. There is also kumari> consensus that using a fork to get the stuck toast out of the kumari> toaster is a bad idea -- however york> I'm not sure that there's necessarily a whole lot of value in us york> coming out with a document "Usin

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread John Kristoff
On Tue, 11 Nov 2014 17:48:25 -1000 Lee Howard wrote: > Many SSH servers (by default) reject connections from IP addresses > without PTRs. This is stupid. Which ones? OpenSSH does not. It has a 'UseSSH' option that is often enabled by default, but all this does is log a message if the PTR name

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Tony Finch
Paul Vixie wrote: > > um. "type forward" is a possible zone type in bind9. we do it when we > deliver DNS RBL policy zones. i was not talking about the kind of > forwarding used for recursive service. Yes, I know that. "type forward" does not work if the server you are forwarding to is authoritat

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread George Michaelson
The irony in SSH is that its a two way strongly authenticated connection. (assuming you do client keys) -So perhaps the sense of the story is that where proof-of-identity is innately part of the exchange, it makes little sense to deploy a barrier to entry like PTR checking, since you are using sig

Re: [DNSOP] Using PTRs for security validation is stupid

2014-11-12 Thread Dan York
Lee, Warren, in his own unique style, made a point that I was wondering about... On Nov 11, 2014, at 9:30 PM, Warren Kumari mailto:war...@kumari.net>> wrote: I heard applause during the WG meeting in response to these statements; sounded like consensus to me. I said I would check that consensus

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Paul Vixie
> Tony Finch > Wednesday, November 12, 2014 7:30 AM > Paul Vixie wrote: >> that's either an argument for listing multiple servers, the first being >> on the loopback, the other(s) being real global root name servers; > > That would probably work. > >> or, instead of tellin

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Tony Finch
Paul Vixie wrote: > > that's either an argument for listing multiple servers, the first being > on the loopback, the other(s) being real global root name servers; That would probably work. > or, instead of telling bind9 "forward only", tell it "forward first". That would not work: you can't for

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Paul Vixie
> Tony Finch > Wednesday, November 12, 2014 7:13 AM > Paul Vixie wrote: >>> With normal DNSSEC validation, resolvers have a way to recover from data >>> corruption. With this local root zone proposal they do not. >> i seem to have missed a step. why? > > If a validating re

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Tony Finch
Paul Vixie wrote: > > it's not the case, period. the root zone happens to be transferred using > TSIG keys between the verisign distribution servers and the root > publication servers. but for most dnssec-secured zones there is no TSIG. That surprises me. > > With normal DNSSEC validation, resol

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Paul Vixie
> Tony Finch > Wednesday, November 12, 2014 2:05 AM > > Right, but DNSSEC usually assumes that the zone transfers themselves are > authenticated, so they can't be corrupted in transit. no. > This is not the case for local root zones. it's not the case, period. the root z

Re: [DNSOP] Fwd: New Version Notification for draft-wkumari-dnsop-root-loopback-01.txt

2014-11-12 Thread Tony Finch
Paul Vixie wrote: > > I thought the idea of validating the zone transfer before putting the zone > > live was interesting. > > this is something deliberately left out of the dnssec design, because it > doesn't obviate validation by query initiators of the underlying data. Right, but DNSSEC usual