Schneier: ISPs should bear security burden

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

on Mon, May 02, 2005 at 01:16:40PM -0400, Joe Maimon wrote:
> Steven Champeon wrote:
> >on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote:
> >
> >>What does the rest of the internet gain when all IPs have boilerplate 
> >>reverse DNS setup for them, especialy with all these wildly differing 
> >>and wacky naming "conventions"?
> >
> >
> >I don't care what the rest of the Internet gains, but I can say that
> >knowing something about these "wildly differing and wacky naming
> >conventions" has cut my spam load down by 98% or more. By knowing who
> >names their networks what, even wild-assed guesses at times have kept
> >the DDoS that is spam botnets from destroying the utility of email here.
> 
> Thats not quite what I was asking. Would you not have preferred being 
> able to do all the above simply by being able to assume that all these 
> "dialup" systems would not have any RDNS?

No.
 
> The question restated is what is the benifit in advocating "dialup 
> names" as opposed to simply recommending that dialup ranges get NO rDNS?

More information is always better.
 
> For spam/abuse prevention it surely is less usefull. Its much easier to 
> block IP with no rDNS than to maintain a list of patterns of rDNS that 
> should be blocked.

Surely. And yet, knowing that Comcast addresses are responsible for
a third of the abuse against my mail server is easier when all of the
hosts' rDNS ends in "comcast.net", so I don't need to do whois lookups
on each IP.

> I understand that RFCs recommend/require it. I want to know about 
> specific benefits to the internet at large (not to the user who now has 
> rDNS)
> 
> Given a choice between ISP using unpredictable naming patterns or no 
> name for dialup ranges, what would your preference be?

Predictable naming conventions, preferably right-anchored, such as

'.dialup.dynamic.example.net'

If you're saying that's not possible, then I'd prefer unpredictable
names over no rDNS at all (though preferably at least consistently
implemented within a given rDNS domain)...

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]