Will IPv6 kill double-reverse lookups?
Jonathan de Boyne Pollard
J.deBoynePollard at Tesco.NET
Wed Nov 3 04:42:20 UTC 2004
DC> I was going to ask here if the BIND developers had thought about a
DC> feature to synthesize matching ip6.arpa and forward record sets to
DC> satisfy TCP Wrappers and the like, [...]
Of course, one doesn't actually need a full blown content DNS server
with a database. "walldns" is a special-purpose content DNS server that
already does this sort of synthesis for "in-addr.arpa.", on the fly.
<URL:http://cr.yp.to/djbdns/walldns.html>
You might like to ask Felix von Leitner if he has any plans to extend
his IP version 6 augmentation to cover "walldns" as well, so that it
performs synthesis for "ip6.arpa." subdomains too. It shouldn't be too
hard.
<URL:http://www.fefe.de/dns/>
DC> I began to wonder whether this problem will serve as an agitator to
get people to
DC> stop fooling themselves into using DNS for endpoint
authentication/authorization.
Sadly, I suspect it will not. You will be amazed at how resistant some
people are to learning that this nonsense provides no security at all
beyond what one can already do with the original IP address that one
started with. Mail system administrators are particularly fond of this
Half-Baked Idea (and its cousins).
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-avoid-double-reverse.html>
More information about the bind-users
mailing list