On Nov 12, 2014, at 5:59 AM, Dan York <y...@isoc.org> wrote: > Where are you trying to go with this note about consensus?
I will not speak for Lee, but where I would _like_ him to go is to simply point out the reasons why policies like this don't make sense. We don't even need to tell people not to do it; just explain why it doesn't make sense, and trust them not to be stupid. I will probably be laughed at for that last sentiment, but it's hard to get consensus on firm advice on this topic, whereas I think it's pretty easy to get consensus that: - PTR records don't actually help with security for ssh - The lack of a PTR record doesn't convey any affirmative information about the host that lacks it. - The presence of a PTR record doesn't either. And therefore, the three use cases that Lee put up on the slides yesterday can be usefully discussed, and the conclusions to draw are pretty obvious: 1. For SMTP, whether or not you think validating the reverse makes sense, the absence of a PTR record for a host that is not an MTA is okay. However, you may want to add a PTR record containing valid information for hosts that do run MTAs, regardless of your opinion on what other MTAs should do with respect to checking PTR records. 2. For geolocation, PTR records containing bogus data are unhelpful at best, so there's no reason to add them to address this use case. 3. For ssh, PTR records are completely useless, so there is no reason to add them to address this use case. There may be some other reason why a bogus PTR record is better than no PTR record, but we are at present not aware of such a reason. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
