To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS

Christopher A. Woodfield rekoil at semihuman.com
Mon May 14 15:46:05 UTC 2001


Reverse DNS by itself is insufficient for authentication, but 
enforcing matching forward and reverse DNS entries is much more reliable 
(no substitute for secret-based or cert-based authentication, but a good 
"front door" for something like tcp wrappers). at last check, tcpd and sshd 
can both be configured to block connections without matching forward/reverse 
records.

-C

On Mon, May 14, 2001 at 12:42:54AM -0700, Roeland Meyer wrote:
> 
> > From: Adam McKenna [mailto:adam at flounder.net]
> > Sent: Sunday, May 13, 2001 10:06 PM
> 
> > > Oracle (try and build a DB without reverse working right. 
> > Net8 stops you
> > > dead in your tracks).
> > 
> > Sorry, but this is just 100% wrong.  I've set up Oracle on 
> > many boxes and you
> > don't need any DNS at all to set up an oracle DB.  In fact, I 
> > tell our DBA's
> > to use IP addresses in their TNSNAMES.ORA files because I 
> > don't want the DB
> > depending on DNS.
> 
> Let's see, I don't want to make my DBs dependent on DNS, so I use IP addrs.
> Yet, I can't depend on IP addrs because my upstream might have to be
> changed... damn, I shouldn't have depended on my scumbag DSL upstream, eh?
> Gee, maybe I should have had a names based system after all? Either way, I
> wind up having to rebuild Oracle boxen and application servers, every time
> somebody farts. Just what in blue hell are we supposed to do?
> 
> BTW, the last I checked SSL certs are usually names based. Pretty slack
> security, eh?
> 
> This is right on up there with: 
> 	
> 1) You idiot DSL monkey, you deserve your Inet death because you didn't
> multi-home.
> 2) No, you can't advertise less than a /20.
> 3) No, you don't deserve larger than a /32.
> 4) Yes, we know that makes multi-homing impossible for those that need it
> the most.
> 5) No, we don't care, you idiot DSL monkeys deserve Inet death.
> 
> Yeah, the message you send out is real clear.
> ... and one wonders why the Internet has an implosion problem...
> 
> --
> Internet implosion at 10:00 ... special web report, at 11:00.
> 
> 

-- 
---------------------------
Christopher A. Woodfield		rekoil at semihuman.com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B




More information about the NANOG mailing list