On Feb 13, 2007, at 10:43 PM, Dean Anderson wrote:
1 DNS PTR records are entirely optional, and MUST NOT be assumed to
exist. Software MUST NOT fail or incur delay as a result of the
non-
existance of PTR records.
2 Unauthenticated DNS MUST NOT be relied on for security or trust
decisions. Even when DNSSEC is used to verify the authenticity of
DNS records, matching reverse and forward records do not imply
either
improved security or trustworthiness over sites that either do not
have reverse DNS or that do not have matching foward/reverse DNS.
3 DNS records MUST NOT be used in logs instead of IP addresses.
Logging only the PTR resource records instead of the IP address is
vulnerable, since attackers may have used long names that will
either
become truncated by many logging systems, or require upto 255 bytes
to store. Logging both IP address and DNS PTR records may be
helpful
but one must also consider that the 255 byte per record space
requirement does not become a DOS attack on the logging system.
This is a DNSOP draft, so I don't think we *can* use MUST NOT. My
main problem with this whole conversation is that I think the draft
already says this - it just doesn't say "MUST NOT" because it
*can't*. If you feel the wording is too weak, and the editor is
willing to incorporate your wording, minus the MUST NOTs, I have no
objection to that.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
