|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ATTBI refuses to do reverse DNS?
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ] > Subject: Re: ATTBI refuses to do reverse DNS? > > INADDR is a really good idea for network operators to be using, and a > really BAD idea for server operators to use as a security mechanism. Fix > your server to be less anal. Excuse me? It's _still_ all the security an Internet DNS client has! When a hostname is important, for whatever reasons, an application MUST confirm the consistency of forward and reverse DNS. > read draft-ietf-dnsop-inaddr-required-03.txt from your favorite Internet > Drafts archive for additional information on this subject. According to my reading everything in _your_ draft strongly suggests that IN-ADDR records be fully and properly populated, despite at the same time warning that applications should not "rely" on consistency checks of the forward and reverse DNS as a security check. Unfortunately this most recent revision of your draft contains a significant and "dangerous" flaw -- it confuses application security checks with DNS consistency checks. Indeed applications should not use the DNS for authentication or for authorisation. However if any trust is put in the hostname used by a client, for any purpose whatsoever, (for audit logs, etc.) then full consistency checks of the DNS for that hostname _MUST_ be done! DNS spoofing, even just by accident, is just too easy and too common (and yes, it really does happen by accident by way of cache pollution, still in this day and age!). -- Greg A. Woods +1 416 218-0098; <[email protected]>; <[email protected]>; <[email protected]> Planix, Inc. <[email protected]>; VE3TCP; Secrets of the Weird <[email protected]>
|