The irony in SSH is that its a two way strongly authenticated connection. (assuming you do client keys) -So perhaps the sense of the story is that where proof-of-identity is innately part of the exchange, it makes little sense to deploy a barrier to entry like PTR checking, since you are using significantly better protections against the wrong person being given access.
PTR records permit IP address administrators with access to DNS configurations to associate DNS names with their addresses. The informative value this has should not be conflated with any stronger checks, and adds little to the decision to accept a connection to a service beyond the log value of the address holders assertion. If you chose to demand a forward-reverse association to exist, you are very likely to exclude access in situations you did not wish to. -G On Wed, Nov 12, 2014 at 5:59 AM, Dan York <y...@isoc.org> wrote: > Lee, > > Warren, in his own unique style, made a point that I was wondering > about... > > On Nov 11, 2014, at 9:30 PM, Warren Kumari <war...@kumari.net> wrote: > > I heard applause during the WG meeting in response to these statements; > sounded like consensus to me. I said I would check that consensus on list. > > > I think that there is consensus that it is stupid. There is also > consensus that using a fork to get the stuck toast out of the toaster > is a bad idea -- however.... > > > ... namely that I think probably all of us on the list can agree 100% that > having SSH servers reject connections from IP addresses without PTRs is > stupid. I haven't seen anyone chime in publicly that they think it *is* a > good idea... and I doubt we will. > > But now what? > > I'm not sure that there's necessarily a whole lot of value in us coming > out with a document "Using PTRs To Reject SSH Connections Considered > Harmful" - I don't know that our doing so will necessarily motivate the > authors of SSH servers to change anything. Certainly I think the SSH case > could be listed in your document of bad things people do with PTRs in IPv4 > that will break in IPv6. > > Where are you trying to go with this note about consensus? > > A bit puzzled, > Dan > > -- > Dan York > Senior Content Strategist, Internet Society > y...@isoc.org +1-802-735-1624 > Jabber: y...@jabber.isoc.org > Skype: danyork http://twitter.com/danyork > > http://www.internetsociety.org/deploy360/ > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
