Sander Steffann wrote:
Also remember that this thread is on secure rDNS by the ISP, which means you can't expect the ISP operate rDNS very securely even though the ISP operate rest of networking not very securely.
You're linking things together that are completely orthogonal...
You misunderstand very basic points on why forward and reverse DNS checking is useful. If an attacker can snoop DHCP reply packet to a victim's CPE, the attacker can snoop any packet to a victim's server, which is already bad. Worse, the attacker can override a connection to the server by forging reply packets as if they are returned by the legitimate server with correct TCP sequence numbers etc, which is especially effective if combined with DOS attack to the legitimate server. Thus, there is no point to make forward and reverse DNS secure. That is, Mark's security model is broken only to introduce obscurity with worse security. Masataka Ohta PS If the server and its clients share some secret for mutual authentication as protection against snooping, there is no point to make forward and reverse DNS secure.