On Tue, Nov 5, 2013 at 6:00 PM, Masataka Ohta < mohta@necom830.hpcl.titech.ac.jp> wrote:
Sander Steffann wrote:
...
You're linking things together that are completely orthogonal...
You misunderstand very basic points on why forward and reverse DNS checking is useful.
Just to note... the main reason checking reverse DNS stays useful: is because that it is so hard to change in many cases. Specifically: if a server at some IP address X is under the control of a spammer; and rDNS is not setup, or rDNS points to some dynamic-looking hostname, It will be difficult or not possible for the spammer to modify the RDNS of the IP address, in many cases; the RDNS is most often managed by the ISP. Or it may be in a DNS infrastructure running on separate networks, with separate access credentials. If RDNS were easy to change; e.g. if you just needed to guess a password to the server, and get signing key information from a DHCP transaction; the spammer would just change it. Delegating "Secure RDNS update" with prefix delegation may in fact, make RDNS information so easy to publish, that the spammers of the world can do it, after compromising a router or host on the victim network, and just "Registering the better hostname in the DNS". The update process may be "secure", but there are new attack vectors. The value of even looking at RDNS, let alone worrying about Forward+Reverse DNS agreement/confirmation may not translate well to IPv6. -- -JH