nslookup from WinNT machine
Kevin Darcy
kcd at daimlerchrysler.com
Sat Jun 2 02:57:49 UTC 2001
Joseph S D Yao wrote:
> On Tue, May 29, 2001 at 05:14:53PM -0400, Kevin Darcy wrote:
> > 2) Newbies seem to always have problems comprehending the weirdo "reverse the
> > octets and append in-addr.arpa" syntax of reverse records, let alone
> > classless delegation a la RFC 2317.
>
> This seems to be the most valid problem that has been raised. The
> other problem raised was that people misuse them - but people are very
> resourceful, and can misuse ANYTHING.
True, but some things are more prone to misuse/error than others. The in-addr.arpa
namespace is quite non-intuitive to newbies, it appears, and even a lot of ISPs
(who should know better), and thus more error-prone than most aspects of Internet
technology.
> I think reverse lookups are helpful, albeit not sufficiently reliable
> to build a complete security infrastructure on. ;-)
>
> In a perfect world, we could all trust each other with reason. In a
> slightly less perfect world, we could all trust each other because we
> were all using DNSsec. I don't remember reading anywhere that we had
> reached even that level of perfection. ;-)
>
> Can you suggest a better way of doing IP address to name lookups?
You're assuming that address-to-name lookups are necessary and/or desirable in the
first place. I don't automatically agree with that assumption, at least not as a
universal rule. For tracing back a particular address to someone responsible for
the relevant netblock, you may have noticed from my other posts than I'm a big fan
of netblock WHOIS. For routers and certain other kinds of telecom gear, perhaps
there is a convenience/courtesy case to be made for maintaining reverse DNS, so
that things like traceroute will generate "friendly" displays. But for a random
server on the net? I'm not so sure that reverse DNS is necessary or desirable in
that case. Seems like it's more trouble than it's worth, and fosters bad security
practices.
> Perhaps the answer to the comprehensibility problems is to take us out
> of the "machine language" of DNS and build a "higher-level language" in
> which to express the intricacies of DNS.
I don't think it's just syntactic incomprehensibility, so I'm not sure a new
language would help. The whole reversed-octet multi-level-delegation structure of
in-addr.arpa is what is confusing to newbies, especially if, as appears to be
increasingly common, they still don't fully understand how delegation works for
*forward* zones.
- Kevin
More information about the bind-users
mailing list