| From: | "Howard, Lee" <lee.howard@twcable.com> |
| To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
| Date: | Wed, 12 Nov 2014 12:24:49 -0500 |
| Subject: | Documentation__Principal names and DNS |
I presented today at the DNSOP WG about reverse DNS, and how it's used.
The context is that in IPv6, it is hard for ISPs to populate PTRs. So, is
it worth the effort? see draft-howard-isp-ip6rdns
Someone said, "SSH using PTRs for security is stupid" and there was
thunderous applause. I'm following up on the DNSOP mailing list to
confirm, but there seems to be consensus that the default behavior of
rejecting an SSH connection because a PTR record is missing is stupid.
So, what would it take to change the default behavior from rdns = true to
rdns = false?
Thanks,
Lee
This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
The context is that in IPv6, it is hard for ISPs to populate PTRs. So, is
it worth the effort? see draft-howard-isp-ip6rdns
Someone said, "SSH using PTRs for security is stupid" and there was
thunderous applause. I'm following up on the DNSOP mailing list to
confirm, but there seems to be consensus that the default behavior of
rejecting an SSH connection because a PTR record is missing is stupid.
So, what would it take to change the default behavior from rdns = true to
rdns = false?
Thanks,
Lee
This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.