ietf-nntp BCP for RFC977 server/RFC1036 interaction
der Mouse
mouse at Rodents.Montreal.QC.CA
Sat Mar 29 04:55:22 PST 1997
>>> [use the one you can trust]
>> Hmm, that would almost mandate that the one be the IP address.
>> After all, we're talking about an authentication aid here; the bad
>> guy could change his DNS, make his post, and change it back, for
>> example.
> Not if you do forward/backward address lookups, right?
Not until dnssec is widely enough deployed that one can be certain the
forward DNS lookup hasn't hit a server the attacker managed to confuse
(eg, force trash into the cache of), and perhaps not even then - prima
facie, the IP address itself is more trustworthy than anything derived
therefrom.
Personally, I would prefer to see both the original IP address and the
name it mapped into at the time (which is not necessarily the name it
maps into now, even aside from DNS-corrupting attacks).
der Mouse
mouse at rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the ietf-nntp
mailing list