ietf
[Top] [All Lists]

RE: rfc1918 impact

2003-10-17 17:54:57
-----BEGIN PGP SIGNED MESSAGE-----

Dean Anderson wrote:

So far, DNSSEC doesn't solve this problem.  I don't think the 
reverse DNS problem is intended to be solved by DNSSEC.

IMHO "reverse" is just the same as ordinary domains.
Where DNS is a phonebook for internet name mappings.

  Quick poll: Does anyone actually think that DNS can be made globably
invulnerable, and positively trusted, yet usable?

I trust on the word of Miek Gieben and as he says it is so, I
have to go with that it will be trusted and usable.

DNSSEC won't solve a number of problems of intentional false 
information.

You won't be able to 'spoof' anymore, which solves the
intentional false information part.

It only works in cooperative environments, and is limited in 
many ways.

Everything is based on cooperation, nobody is 'forced' to
implement a specification and people can invent their own etc.
You might want to followup to the dnssec-wg why you think it
is limited btw.

<SNIP>

Also, logs should definitely NOT be using reverse DNS.  This 
is one of the many improper uses of Reverse DNS.
One must always log the IP address. If
you have a lot of extra time, and space in the log, the 
current value of the reverse lookup may be interesting,
but it it not meaningful.
Implementors are starting to get a clue:  I've noticed that 
the UTMP on several platforms only stores the IP address for IPv6.
Many a breakin has been hard or impossible to trace due to improper
use of reverse DNS in logging.

I realize that all too well, unfortunatly some don't:
http://www.freebsd.org/cgi/query-pr.cgi?pr=22595
(Check the dates btw :)

They should log both the IP and the reverse.

Sometimes it is impossible to detect! How do you 
know that the access from 
the_very_long_host.another_long_zone.some_doma---oops, out of
space for hostname--was unauthorized?  Anonymous Mail Relay 
abuse was made possible because the early SMTP implmentors
didn't put the IP address in the Recieved header, but the
reverse DNS, which we subsequently found out to be useless.

Reverses should be checked with the forward mapping ofcourse.
If both of these answers come in over DNSSEC then you are 100%
sure that this host has this name. But still one wants to
log the IP because DNS-TTL later the hostname is out of your
cache and possibly out of the entire DNS system.

and includes _everthing_ (that I've heard of) except for 
traceroute, which is using reverse DNS only for what amounts
to transient pretty printing.

Traceroute doesn't check the forward beloning to a reverse
and I have seen an number of jokers using 'nice' hostnames
next to that there are very easy ways of spoofing traceroutes,
rotorouter anyone ?:)

Anyway, this is getting afield a little for the IETF list, 
and probably belongs on one of the DNS lists.

Ack.

Perhaps all that is important is to remember that "properly configured
Reverse DNS" includes having no reverse DNS at all.

Ack.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen(_at_)unfix(_dot_)org / http://unfix.org/~jeroen/

iQA/AwUBP5CNYCmqKFIzPnwjEQJwvACghPgsX8dPkJ6shPG7OGccdp5dDQQAnjpo
HWwqKUUDkL0M3xRa7kyCIO43
=rCiF
-----END PGP SIGNATURE-----




<Prev in Thread] Current Thread [Next in Thread>