[37524] in North American Network Operators' Group
Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
daemon@ATHENA.MIT.EDU (Adam McKenna)
Tue May 15 06:13:28 2001
Date: Mon, 14 May 2001 23:18:09 -0700
From: Adam McKenna <adam@flounder.net>
To: nanog@nanog.org
Message-ID: <20010514231809.L26145@flounder.net>
Mail-Followup-To: nanog@nanog.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010514172709.B6037@semihuman.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, May 14, 2001 at 05:27:09PM -0400, Christopher A. Woodfield wrote:
>
> I didn't intend to imply that matching forward/reverse DNS was a security
> measure I'd trust by itself, but it certainly doesn't hurt to implement as
> a "outer perimeter" measure in conjunction with IP-based rules and
> secure authentication...
It does hurt. It causes non-obvious problems. Forcing hostnames and PTR's
to match (commonly referred to as PARANOID checking) does not provide extra
security, it just prevents people with badly configured DNS from accessing
your servers.
--Adam
