North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: ATTBI refuses to do reverse DNS?
- From: Greg A. Woods
- Date: Tue Jun 18 15:56:38 2002
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
> Subject: Re: ATTBI refuses to do reverse DNS?
> INADDR is a really good idea for network operators to be using, and a
> really BAD idea for server operators to use as a security mechanism. Fix
> your server to be less anal.
Excuse me? It's _still_ all the security an Internet DNS client has!
When a hostname is important, for whatever reasons, an application MUST
confirm the consistency of forward and reverse DNS.
> read draft-ietf-dnsop-inaddr-required-03.txt from your favorite Internet
> Drafts archive for additional information on this subject.
According to my reading everything in _your_ draft strongly suggests
that IN-ADDR records be fully and properly populated, despite at the
same time warning that applications should not "rely" on consistency
checks of the forward and reverse DNS as a security check.
Unfortunately this most recent revision of your draft contains a
significant and "dangerous" flaw -- it confuses application security
checks with DNS consistency checks. Indeed applications should not use
the DNS for authentication or for authorisation. However if any trust
is put in the hostname used by a client, for any purpose whatsoever,
(for audit logs, etc.) then full consistency checks of the DNS for that
hostname _MUST_ be done! DNS spoofing, even just by accident, is just
too easy and too common (and yes, it really does happen by accident by
way of cache pollution, still in this day and age!).
Greg A. Woods
+1 416 218-0098; <email@example.com>; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>