Re: Proposed text for reverse-mapping-considerations draft

On Thu, 31 May 2007, Olafur Gudmundsson wrote:

> 
> I think this text is helpful, to understand where the
'requirement´
> for reverse DNS entries came from. This mechanism was
used by ftp
> servers to keep logs and enforce export control on
cryptographic
> software 

I don't know of anyone ever using reverse DNS to enforce
export control
of crypto software. The only sites that did even note export
control
restrictions (eg. MIT for Kerberos), required first reading
a notice
containing the export restriction notice in order to obtain
a 'secret'
hidden FTP directory.

I note also that using Reverse DNS to implement such
controls would be
easily and trivially spoofed, so if it ever _was_ used that
way, its an
example of what not to do.

		--Dean



-- 
Av8 Internet   Prepared to pay a premium for better
service?
www.av8.net         faster, more reliable, better service
617 344 9000   



_______________________________________________
DNSOP mailing list
DNSOPietf.org
https://
www1.ietf.org/mailman/listinfo/dnsop

At 23:41 -0400 5/31/07, Dean Anderson wrote:

>I don't know of anyone ever using reverse DNS to enforce
export control
>of crypto software.

We ("we" referring to my employer in 1997) did.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-
Edward Lewis                                               
+1-571-434-5468
NeuStar

Sarcasm doesn't scale.

_______________________________________________
DNSOP mailing list
DNSOPietf.org
https://
www1.ietf.org/mailman/listinfo/dnsop

I At 11:07 AM -0400 6/1/07, Edward Lewis wrote:
>At 23:41 -0400 5/31/07, Dean Anderson wrote:
>
>>I don't know of anyone ever using reverse DNS to
enforce export control
>>of crypto software.
>
>We ("we" referring to my employer in 1997)
did.

I can confirm Ed's point that reverse DNS lookup was the
technique approved
by appropriate government officials when it was applied to
at least some
export controlled software.  I think that 1997 was within
the time frame it
was being used but I'm less certain about the dates that it
was actually
required since the rule set changed over time - but it was
required to make
our early early DNSSEC implementation available on an ftp
server and was
considered adequate by the government officials (even though
I always
thought that it was a Really Dumb control!).

Russ Mundy

>
>--
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-
>Edward Lewis                                            
   +1-571-434-5468
>NeuStar
>
>Sarcasm doesn't scale.
>
>_______________________________________________
>DNSOP mailing list
>DNSOPietf.org
>https://
www1.ietf.org/mailman/listinfo/dnsop


_______________________________________________
DNSOP mailing list
DNSOPietf.org
https://
www1.ietf.org/mailman/listinfo/dnsop

At 13:08 -0400 6/1/07, Russ Mundy wrote:

>considered adequate by the government officials (even
though I always
>thought that it was a Really Dumb control!).

Well, you could (cynically) argue it was quite effective and

efficient. And we are speaking from operational experience
and not 
conjecture.

It was easy to set up and maintain.  (Low cost solution.)
No one who wanted and should have access was denied. (No
false positives.)
No one reported the code being in the wrong hands. (No
breaches.)

;)

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-
Edward Lewis                                               
+1-571-434-5468
NeuStar

Sarcasm doesn't scale.

_______________________________________________
DNSOP mailing list
DNSOPietf.org
https://
www1.ietf.org/mailman/listinfo/dnsop