On Tue, 5 Jun 2007, Dean Anderson wrote:
>
> > > The group has repeatedly rejected the claims in the draft that "you
> > > just edited" once it is detailed how the draft supports discredited
> > > claims.
> >
> > I am not sure what your evidence is for this claim (especially since
> > we have seen precisely one response so far to the -03 draft, and a
> > number of responses this year suggesting broad agreement with the -02
> > draft). If you wish to press that claim, I would urge you to point me
> > to the mailing list messages that support your view.
>
> I think Mr. Sullivan well knows the history of this draft from its
> previous incarnation as the draft-ietf-dnsop-inaddr-required, and
> Sullivan knows that the version number was reset when the draft was
> renamed and re-submitted under the new name. Sullivan knows that the
> name was changed to address concerns about the implication of the name,
> even after explicit calls to 'require in-addr' were supposedly removed
> from the draft. Sullivan knows that the WG didn't support that the
> notion that inaddr was required, nor did it support any other
> discredited notions. So Mr. Sullivan knows the past claims that were
> very explicitly rejected. This is yet another example of a failure to
> report accurately.
BTW, here is part of an off-list message from Ted Lemon in 2005, that is
very much in the line of the continuous problems with this draft. The
current draft still has this same problem---In the intervening two
years, the draft has just been rewritten in different ways to say the
same thing after objections are raised, and then Sullivan reports "all
fixed!", but it isn't fixed.
Ted writes below: "... I definitely want to make sure the document
doesn't give anybody the impression that using in-addr for security is
anything but a complete crock, or, as you say, an actual vulnerability."
By the way, I contacted Dr. Venema who also agrees, and doesn't want to
become known as the originator of the myth of reverse DNS security.
--Dean
---------- Forwarded message ----------
Date: Fri, 1 Apr 2005 18:01:58 -0700
From: Ted Lemon <[EMAIL PROTECTED]>
To: Dean Anderson <[EMAIL PROTECTED]>
Subject: Re: [dnsop] Tangible harm caused by in-addr-required draft
On Apr 1, 2005, at 3:19 PM, Dean Anderson wrote:
> Page 2 is full of it. I'll just give one example:
>
> Some applications use DNS lookups for security checks. To ensure
> validity of claimed names, some applications will look up IN-ADDR
> records to get names, and then look up the resultant name to see if
> it maps back to the address originally known. Failure to resolve
> matching names is seen as a potential security concern.
> "Failure to resolve matching names is seen as a potential security
> concern"
>
> Basically, this says its ok to use in-addr based security, and if they
> don't match, that's a "security concern".
>
> In other words, matching in-addr is required.
This is a legitimate, specific criticism. One that I haven't seen from
you before on the mailing list. I very much support fixing cases where
the text can be misread in the way you suggest. It would be disastrous
if someone read the document the way you suggest, and I can see where
someone could make that mistake, although it wasn't obvious to me until
you pointed it out. If you could send a complete set of such changes to
the mailing list, I will support you in getting them done - if it
doesn't work on the list, I can talk to the authors in Paris. I'm not
going to support you retargeting the document entirely, but I definitely
want to make sure the document doesn't give anybody the impression that
using in-addr for security is anything but a complete crock, or, as you
say, an actual vulnerability.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
