IETF Logo Mail Archive

Re: [DNSOP] WGLC: "Considerations for the use of DNS Reverse Mapping"

JINMEI Tatuya / 神明達哉 <jinmei@wide.ad.jp> Fri, 28 March 2008 22:47 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: ietfarch-dnsop-archive@core3.amsl.com
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0492F3A7048; Fri, 28 Mar 2008 15:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.213
X-Spam-Level:
X-Spam-Status: No, score=-97.213 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-1rNZgJsvhA; Fri, 28 Mar 2008 15:47:34 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B41A3A6BAF; Fri, 28 Mar 2008 15:47:34 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5890B3A6DC1 for <dnsop@core3.amsl.com>; Fri, 28 Mar 2008 15:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQkILz3VH9mX for <dnsop@core3.amsl.com>; Fri, 28 Mar 2008 15:47:31 -0700 (PDT)
Received: from mon.jinmei.org (mon.jinmei.org [IPv6:2001:4f8:3:36::162]) by core3.amsl.com (Postfix) with ESMTP id 41A153A68FC for <dnsop@ietf.org>; Fri, 28 Mar 2008 15:47:30 -0700 (PDT)
Received: from user-64-9-237-133.googlewifi.com (unknown [IPv6:2001:4f8:3:bb:217:f2ff:fee0:a91f]) by mon.jinmei.org (Postfix) with ESMTP id D2A8D33C37; Fri, 28 Mar 2008 15:47:29 -0700 (PDT)
Date: Fri, 28 Mar 2008 15:47:29 -0700
Message-ID: <m2fxualb3y.wl%Jinmei_Tatuya@isc.org>
From: JINMEI Tatuya / 神明達哉 <jinmei@wide.ad.jp>
To: Peter Koch <pk@DENIC.DE>
In-Reply-To: <20080314034500.GE7553@x27.adm.denic.de>
References: <20080314034500.GE7553@x27.adm.denic.de>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] WGLC: "Considerations for the use of DNS Reverse Mapping"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

At Fri, 14 Mar 2008 04:45:00 +0100,
Peter Koch <pk@DENIC.DE> wrote:

> in accordance with the roadmap posted the other day, this is to initiate
> a working group last call on
> 
> 	"Considerations for the use of DNS Reverse Mapping"
> 	draft-ietf-dnsop-reverse-mapping-considerations-06.txt
> 
> ending Friday, 2008-04-04, 18:00 UTC.
> 
> The document is aimed at a status of "BCP".
> Please review the draft and send comments and/or statements of support or
> non-support to the WG mailing list.  We have taken names of volunteers,
> but everyone is encouraged to review.  There will be a five reviewer threshold
> and _no_ default action.

Here are my minor comments on the draft:

1. In Section 1.2

   Starting from a given IPv4 address (possibly the result of a query
   for an A RR), the term "existing reverse data" means that a query for
   <reversed-ip4-address>.in-addr.arpa. type PTR results in a response
   other than Name Error.

I don't think this definition is 100% appropriate.  Consider the case
where a PTR RR is not provided for <reversed-ip4-address>.in-addr.arpa
but some other type of RR (e.g. TXT) is.  Then the response to the PTR
query won't be a Name Error, but it wouldn't be reasonable to consider
it the existence of reverse data.  I'd suggest revising this to:

   Starting from a given IPv4 address (possibly the result of a query
   for an A RR), the term "existing reverse data" means that a query for
   <reversed-ip4-address>.in-addr.arpa. type PTR results in a positive
   response (i.e,, one that contains a PTR RRset for the queried name
   in the answer section).

Also about the IPv6 case:

   Starting from a given IPv6 address (possibly the result of a query
   for an AAAA RR), the term "existing reverse data" means that a query
   for <reversed-ip6-address>.ip6.arpa. type PTR results in a positive
   response.

And for the definition of "missing reverse data":

   The term "missing reverse data" means that the query for existing
   reverse data results in a negative response (i.e., one that does
   not contain a PTR RRset for the queried name in the answer section,
   often with a non 0 response code).

2. In Section 2.1 (last line of page 4)

   attacker could acquire access either by by putting the target host

should be

   attacker could acquire access either by putting the target host

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email