[166567] in North American Network Operators' Group
Re: Reverse DNS RFCs and Recommendations
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Wed Oct 30 18:40:08 2013
Date: Thu, 31 Oct 2013 07:42:44 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
To: Andrew Sullivan <asullivan@dyn.com>, nanog@nanog.org
In-Reply-To: <20131030172136.GE525@dyn.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Andrew Sullivan wrote:
>> The classic TCP wrapper had this as one of the security features
>
> I would agree with that if you'd put scare-quotes around the word
> "security". In general anyone depending on the reverse tree to
> provide them any kind of security is engaged in wishful thinking,
No, it's you who have wishful thinking.
> particularly if the lookup isn't validated with DNSSEC.
As is discussed recently in IETF main and dns MLs, Lack of
secure time in most environment makes DNSSEC insecure.
Legal enforcement on zone administrators makes related zones
insecure.
For most users, security by plain DNS with reverse look up is
fine.
Masataka Ohta
