ATTBI refuses to do reverse DNS?
Greg A. Woods
woods at weird.com
Tue Jun 18 19:54:13 UTC 2002
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
> Subject: Re: ATTBI refuses to do reverse DNS?
>
> INADDR is a really good idea for network operators to be using, and a
> really BAD idea for server operators to use as a security mechanism. Fix
> your server to be less anal.
Excuse me? It's _still_ all the security an Internet DNS client has!
When a hostname is important, for whatever reasons, an application MUST
confirm the consistency of forward and reverse DNS.
> read draft-ietf-dnsop-inaddr-required-03.txt from your favorite Internet
> Drafts archive for additional information on this subject.
According to my reading everything in _your_ draft strongly suggests
that IN-ADDR records be fully and properly populated, despite at the
same time warning that applications should not "rely" on consistency
checks of the forward and reverse DNS as a security check.
Unfortunately this most recent revision of your draft contains a
significant and "dangerous" flaw -- it confuses application security
checks with DNS consistency checks. Indeed applications should not use
the DNS for authentication or for authorisation. However if any trust
is put in the hostname used by a client, for any purpose whatsoever,
(for audit logs, etc.) then full consistency checks of the DNS for that
hostname _MUST_ be done! DNS spoofing, even just by accident, is just
too easy and too common (and yes, it really does happen by accident by
way of cache pollution, still in this day and age!).
--
Greg A. Woods
+1 416 218-0098; <gwoods at acm.org>; <g.a.woods at ieee.org>; <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>
More information about the NANOG
mailing list