To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
Christopher A. Woodfield
rekoil at semihuman.com
Mon May 14 15:46:05 UTC 2001
Reverse DNS by itself is insufficient for authentication, but
enforcing matching forward and reverse DNS entries is much more reliable
(no substitute for secret-based or cert-based authentication, but a good
"front door" for something like tcp wrappers). at last check, tcpd and sshd
can both be configured to block connections without matching forward/reverse
records.
-C
On Mon, May 14, 2001 at 12:42:54AM -0700, Roeland Meyer wrote:
>
> > From: Adam McKenna [mailto:adam at flounder.net]
> > Sent: Sunday, May 13, 2001 10:06 PM
>
> > > Oracle (try and build a DB without reverse working right.
> > Net8 stops you
> > > dead in your tracks).
> >
> > Sorry, but this is just 100% wrong. I've set up Oracle on
> > many boxes and you
> > don't need any DNS at all to set up an oracle DB. In fact, I
> > tell our DBA's
> > to use IP addresses in their TNSNAMES.ORA files because I
> > don't want the DB
> > depending on DNS.
>
> Let's see, I don't want to make my DBs dependent on DNS, so I use IP addrs.
> Yet, I can't depend on IP addrs because my upstream might have to be
> changed... damn, I shouldn't have depended on my scumbag DSL upstream, eh?
> Gee, maybe I should have had a names based system after all? Either way, I
> wind up having to rebuild Oracle boxen and application servers, every time
> somebody farts. Just what in blue hell are we supposed to do?
>
> BTW, the last I checked SSL certs are usually names based. Pretty slack
> security, eh?
>
> This is right on up there with:
>
> 1) You idiot DSL monkey, you deserve your Inet death because you didn't
> multi-home.
> 2) No, you can't advertise less than a /20.
> 3) No, you don't deserve larger than a /32.
> 4) Yes, we know that makes multi-homing impossible for those that need it
> the most.
> 5) No, we don't care, you idiot DSL monkeys deserve Inet death.
>
> Yeah, the message you send out is real clear.
> ... and one wonders why the Internet has an implosion problem...
>
> --
> Internet implosion at 10:00 ... special web report, at 11:00.
>
>
--
---------------------------
Christopher A. Woodfield rekoil at semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
More information about the NANOG
mailing list