[69237] in North American Network Operators' Group
Re: the value of reverse address lookups?
daemon@ATHENA.MIT.EDU (Laurence F. Sheldon, Jr.)
Wed Mar 31 21:59:57 2004
Date: Wed, 31 Mar 2004 20:59:17 -0600
From: "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net>
To: nanog@nanog.org
In-Reply-To: <1080782041.4836.3.camel@liberate>
Errors-To: owner-nanog-outgoing@merit.edu
Douglas F. Calvert wrote:
> On Wed, 2004-03-31 at 19:59, Stephen J. Wilcox wrote:
>
>>On Wed, 31 Mar 2004, Douglas F. Calvert wrote:
>>
>>> I am interested in finding out what the motivation is for requiring
>>>valid reverse address lookups before connecting to a daemon. I have
>>>heard a number of different explanations, the majority of the responses
>>>point to history/tradition and tcpwrappers. Is there a commonly accepted
>>>justification for this practice? In my opinion it does not appear to
>>>increase the validity of the connection. But I may be missing something
>>>obvious.
>>> Thanks in advance...
>>
>>Well, my understanding is that whilst its easy to get a domain name and some dns
>>its usually quite difficult to put in a ptr record, these are usually controlled
>>by the ISP. If they dont exist or dont match then the address is a dialup or
>>hijacked or something not legitimate.. I think this is mainly an smtp antispam
>>thing tho altho I see your point is for any connection is general, I guess the
>>same appliers to hackers as to spammers.. ?
>
> I am interested in both cases smtp and other services. Syr.edu only
> accepts ssh connection to the public unix boxen if you come from an ip
> with a valid reverse address. The majority of smtp servers on the net
> require the same. What more is known about the mail sender or ssh client
> just because the reverse address lookup goes through?
>
> Anyone care to give their thoughts on the legacy aspect?
Speaking for myself only, and for the groups that I used to manage
at the time I managed them...
There is a concept of a Complete Job in doing something. In the
case of exposing a machine to a larger community, that Complete
Job includes (but is not limited to) such things as insuring
that machine is physically up to its assigned task, that its
Operating system is appropriate and at the appropriate patch
level, that the software is appropriate for the assignment, and
properly configured, that the installation is physically and
operationally secure, and that all of the paperwork (including
virtual paperwork like domain registrations and DNS minutia)
is in order.
If you are an outsider looking in at one of my installations, that
last one is the only one you can readily look at to see if you
think I am worthy of your trust.
--
Requiescas in pace o email
