Re: Domain spoofing - was Re: [anti-spam-wg@localhost] I wrote a spamfilter in Perl

[der Mouse <]

> One of the underlying reasons behind the Reverse DNS restructuring
> (see dns-wg and ncc-services-wg) is this very thing.  See
> http://www.ripe.net/reverse/proposal.html for further details.

One thing listed there I find baffling:

   - The introduction of 'name' syntax checks for the ip6.arpa and
   in-addr.arpa domains, only allowing domain for names that make sense
   in the address hierarchy i.e. those that represent "reversed"
   addresses.
[...]
   - The motivation for the 'name syntax check' is because there are
   currently domain objects that clearly cannot exist in the address
   hierarchy (e.g. 666.193.in-addr.arpa).

I must be missing something here.  Such objects that do not represent
reversed addresses are not problematic as far as I can see, and indeed
there are some RFCs that recommend, or at least suggest, their use (see
2317 for an example - indeed, the webpage specifically mentions 2317).

I also can't see how anyone proposes to enforce such a restriction,
unless perhaps the RIPE proposes to return NXDOMAIN rather than the
usual referral to the delegated-to servers when queried for such syntax
"errors", or unless somehow all DNS servers are modified to recognize
the reverse domains as calling for special treatment...or the proposal
calls for the RIRs and LIRs to take over all reverse domain
nameservice.

Or am I misunderstanding, and only _some_ such "not a reversed address"
objects are to be eliminated?  If so, it's certainly not clear from the
webpage which ones are considered problematic - and in any case, I see
nothing explaining what the problem this chagne will fix is (that is,
what damage is or would be done by the presence of such objects).

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B