Re: Domain spoofing - was Re: [anti-spam-wg@localhost] I wrote a spamfilter in Perl
- Date: Thu, 9 Oct 2003 05:19:01 -0400 (EDT)
> One of the underlying reasons behind the Reverse DNS restructuring
> (see dns-wg and ncc-services-wg) is this very thing. See
> http://www.ripe.net/reverse/proposal.html for further details.
One thing listed there I find baffling:
- The introduction of 'name' syntax checks for the ip6.arpa and
in-addr.arpa domains, only allowing domain for names that make sense
in the address hierarchy i.e. those that represent "reversed"
- The motivation for the 'name syntax check' is because there are
currently domain objects that clearly cannot exist in the address
hierarchy (e.g. 666.193.in-addr.arpa).
I must be missing something here. Such objects that do not represent
reversed addresses are not problematic as far as I can see, and indeed
there are some RFCs that recommend, or at least suggest, their use (see
2317 for an example - indeed, the webpage specifically mentions 2317).
I also can't see how anyone proposes to enforce such a restriction,
unless perhaps the RIPE proposes to return NXDOMAIN rather than the
usual referral to the delegated-to servers when queried for such syntax
"errors", or unless somehow all DNS servers are modified to recognize
the reverse domains as calling for special treatment...or the proposal
calls for the RIRs and LIRs to take over all reverse domain
Or am I misunderstanding, and only _some_ such "not a reversed address"
objects are to be eliminated? If so, it's certainly not clear from the
webpage which ones are considered problematic - and in any case, I see
nothing explaining what the problem this chagne will fix is (that is,
what damage is or would be done by the presence of such objects).
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B