[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 and Dynamic DNS

To: Dean Anderson <dean@av8.com>
Subject: Re: IPv6 and Dynamic DNS
From: Terry Lambert <terry@whistle.com>
Date: Wed, 04 Aug 1999 10:36:18 -0700
CC: "Cutler, James R" <james.cutler@eds.com>, "'Robert Elz'" <kre@MUNNARI.OZ.AU>, Jim Bound <bound@ZK3.DEC.COM>, ipng@sunroof.eng.sun.com, namedroppers@internic.net

Dean Anderson wrote:
> 
> Having reverse dns mappings is no security at all.  Both are
> easily spoofed.  Having a valid reverse map does not make
> the connection any more or less trustworthy.  Only really
> stupid admins make trust decisions based on DNS information.

How do you spoof a forward mapping, without exploiting
some known (and presumably, fixed) bug?

I trust . to not lie about the delegation of .com.; I trust
.com. to not lie about the delegation of .whistle.com.; I
trust .whistle.com. to not lie about host names in its zone
of control, or its delegations, and so on.

Consider that if I define "fred.whistle.com" in my DNS to
point to 198.3.136.10, I am establishing a name in the
whistle.com domain for this IP address.

It matters very little that I don't own STARSHIP.av8.com
(your machine, which has that IP address), I am permitted
to name it within any domain for which control has been
delegated to me by . and .com. (and so on).

But I can not update the reverse record for 198.3.136.10,
because that has been delegated to .arpa. by ., and then
subsequently to starship.av8.com., and I can't change that
because I'm not in charge of any of the intermediates that
are between . and you.

This trust is implicit in the organization of the DNS
(try to get certificates added to the top level servers;
I dare you; I double-dog dare you -- others have tried).

You can lie in a forward record, but you can't lie in
the reverse unless you own the IP address mapping.  And
if you own the IP address mapping, both the domain name
and the IP address are logged, so welcome to the RBL,
buddy: you'll never send email to me from that IP address
again, and I don't give a damn what you name it.

> Indeed, there is another just as invalid "security" idea
> that one should never use reverse mappings because the
> information might be used by crackers.

I think you meant "provide", not "use", right?

>  Woe unto anyone who needs to get these two
> "security conscious" networks to speak to each other.
> One will not put out reverse maps, the other will not
> trust anyone whose reverse maps are not "correct".

Yes.  The latter set is pretty much a 1:1 intersection
set with "anyone who runs sendmail 8.9.x or above in
its default configuration".

Per address, time-limited certificate would be a better
soloution to this problem.  Unfortunately, there is still
an RSA patent or two in the way of that being standardized
without inviting patent infringement.

If this impacts someone's ability to SPAM -- so the hell
what?  It's _intended_ to.

> This is about as silly as believing that using RFC1918
> addresses enhance security because they are "unroutable".
> Lets just let both of these go into the history of foolish
> ideas.
> 
> Please don't build this foolishness into DNS.  That would
> be a disaster.

It's already implicit to DNS's delegation-based organization
(see above: it is deployed as a technical soloution to a
social problem -- "ya cann'a change the laws of physics",
so we design our laws of physics so "ya cann'a misbehave").

In your opinion, what is the proper purpose of reverse
records, if one is not to look them up, or trust their
contents should one be so "foolish" as to look them up?

Is it for displaying in browsers and log files, allowing
the humans who configured them to lie, by proxy, to the
humans whose programs look them up?

And if you answer none of the other questions, whatsoever:

What is the rationale for not allowing a machine, granted
a particular address, to set its reverse record?

The actual agency we are talking about trusting is the
address delegation agency.  If we decide to not trust
them, then we can dike their entire authority block out
of the list of people to whom we are willing to talk.

-- Terry Lambert
-- Whistle Communications, Inc.
-- terry@whistle.com
-------------------------------------------------------------------
This is formal notice under California Assembly Bill 1629, enacted
9/26/98 that any UCE sent to my email address will be billed $50
per incident to the legally allowed maximum of $25,000.

Prev by Date: RE: draft-costanzo-dns-gl-00.txt
Next by Date: FW: IPv6 and Dynamic DNS
Prev by thread: Re: IPv6 and Dynamic DNS
Next by thread: FW: IPv6 and Dynamic DNS
Index(es):
- Date
- Thread