[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ngtrans) Re: The reverse lookup issue

To: "Jeroen Massar" <jeroen@unfix.org>
Subject: Re: (ngtrans) Re: The reverse lookup issue
From: Derek Atkins <warlord@MIT.EDU>
Date: 05 Jul 2002 12:54:25 -0400
Cc: "'Robert Elz'" <kre@munnari.OZ.AU>, "'Christian Huitema'" <huitema@windows.microsoft.com>, <ngtrans@sunroof.eng.sun.com>, <namedroppers@ops.ietf.org>
In-reply-to: <000601c2243c$442f3f60$420d640a@unfix.org>
References: <000601c2243c$442f3f60$420d640a@unfix.org>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Jeroen Massar" <jeroen@unfix.org> writes:

> (1) = Dynamic updates, will you really be going to let every user of
> your ISP update the reverses?

No, but the ISP trust's its own DHCP server to update its reverse
domain (which may involve updating a reverse-tree deleagation).  Note
that the client does not need to update the reverse tree itself; it
can provide its DNS hostname to the DHCP server and the DHCP server
updates the reverse tree.

> In a company thats probably very different, if you got a nice tightly
> controlled environment.
> But then again, ofcourse we got
> http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html ;)

Personally, I find the reverse tree both useful in my every day work
and also I can see a number of future uses, such as binding keys to IP
addresses.  From an IPsec perspective, all I know is that I want to
send a packet to host X (where X is some IP Address), and I need to
key that connection.  This requires either certificates with IP
addresses or DNS lookups based on IP Address.  I certainly prefer the
latter case, because generally certificates are based on the FQDN, not
the IP Address.

If I want to talk to 1.2.3.4 and get back a certificate claiming to be
for secure.host.net, how do I know I'm talking to the right machine?
OTOH, if I can query DNS for "4.3.2.1.in-addr.arpa. IN <some keytype
record>", which is DNSSec-protected, then I have a higher assurance
that I'm actually talking to the host I think I am.

> Greets,
>  Jeroen

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- RE: (ngtrans) Re: The reverse lookup issue
  - From: "Jeroen Massar" <jeroen@unfix.org>

Prev by Date: Re: (ngtrans) Re: The reverse lookup issue
Next by Date: Re: support for draft-ietf-dnsop-serverid-00.txt
Previous by thread: Re: (ngtrans) Re: The reverse lookup issue
Next by thread: Re: (ngtrans) Re: The reverse lookup issue
Index(es):
- Date
- Thread