Hi Dean,
Thanks for your response. I'm still unclear about a few things, so
I'm replying here.
On Mon, Jan 08, 2007 at 11:01:06AM -0500, Dean Anderson wrote:
>
> The phrase "best if the reverse tree works" implies that somehow
> the reverse tree doesn't work. [. . .] The reverse tree works no
Inline, two messages
On Fri, 5 Jan 2007, Andrew Sullivan wrote:
> > The position of the "security/spam" crowd is that no reverse anwser
is
> > wrong,
>
> > The opposing position is that any PTR answer is optional,
>
> I think you have a false dichotomy here. The draft is intended to
> say that
Hi Dean,
Thanks for your message. Some additional questions and comments are
inline, below.
On Fri, Jan 05, 2007 at 04:29:13PM -0500, Dean Anderson wrote:
> Right. The disagreement is that your camp thinks there must be an
> affirmative answer to a PTR query that must match a forward name, wher
On Thu, 4 Jan 2007, Andrew Sullivan wrote:
> Since as a matter of history it's a revival of that draft under a
> different filename (as some people objected to the "required"), that
> shouldn't be too surprising.
That's good the title has changed, then. I'm glad for that. I thought
the draft was
Hi Dean,
On Fri, Jan 05, 2007 at 03:13:02PM -0500, Dean Anderson wrote:
> Hmm. So, the word change had nothing to do with security. The draft and
> its advocates _do_ still assert that there is security in matching
> forward/reverse.
As one of the editors of the draft, I would very much apprec
At 15:13 -0500 1/5/07, Dean Anderson wrote:
{suggestion: run two sets of nameservers, one set with public
information, and another set with inside information}
Well that's one solution. (Or using implementation-specific features
that modify responses based on query ancillary data or other
f
On Thu, 4 Jan 2007, Edward Lewis wrote:
> At 13:15 -0500 1/4/07, Dean Anderson wrote:
>
> >address by the machine initiating the query". This incorrect assertion
> >is at the very heart of the mistaken uses of 'reverse DNS as security
> >mechanism'. The correct answer to "what is supposed to be
On Fri, Jan 05, 2007 at 02:42:03PM -0500, Dean Anderson wrote:
> The debate is over "the right answer" given for reverse DNS queries.
I don't think there is anywhere in the draft where anything says
there is "the right answer" for reverse DNS queries. If you have
found text that says that in th
On Thu, 4 Jan 2007, Joe Abley wrote:
>
> On 4-Jan-2007, at 13:15, Dean Anderson wrote:
>
> >In general, the DNS response to a reverse map query for an address
> >ought to reflect what is supposed to be seen at the address by the
> >machine initiating the query.
> >
> > There is no ex
At 13:15 -0500 1/4/07, Dean Anderson wrote:
address by the machine initiating the query". This incorrect assertion
is at the very heart of the mistaken uses of 'reverse DNS as security
mechanism'. The correct answer to "what is supposed to be seen" is
_site_ dependent. Those who think there i
Hi Dean,
On Thu, Jan 04, 2007 at 01:15:56PM -0500, Dean Anderson wrote:
> This is nearly a straight rehash of the ill-fated in-addr draft.
Since as a matter of history it's a revival of that draft under a
different filename (as some people objected to the "required"), that
shouldn't be too sur
On 4-Jan-2007, at 13:15, Dean Anderson wrote:
In general, the DNS response to a reverse map query for an address
ought to reflect what is supposed to be seen at the address by the
machine initiating the query.
There is no exact definition of "what is supposed to be seen at the
address
This is nearly a straight rehash of the ill-fated in-addr draft. As
with that draft, there is a fundamental wrong assumption embedded in the
draft, as exemplified in this sentence of Section 4.1:
In general, the DNS response to a reverse map query for an address
ought to reflect what is
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Domain Name System Operations Working Group of
the IETF.
Title : Considerations for the use of DNS Reverse Mapping
Author(s) : D. Senie, A. Sullivan
14 matches
Mail list logo
