ATTBI refuses to do reverse DNS?

In the referenced message, Daniel Senie said:

<snip>

>Is this common?

I have a CDPD card which has a fixed address. It's from Verizon Wireless.
There's no INADDR. There seems to be a lack of understanding and clue all
around on INADDR, which is the motivation for the above-mentioned draft.
Having something to point network operators and server operators to would,
IMO, help.

The lack of clue tends to be on the providing in-addr side of things.
I think it is a great thing to refuse connections from ips without
in-addr, in the same way it is great to refuse mail from domains that
don't provide postmaster addresses.

It is a means through which one can influence the laziness of others.
Simply disregarding what others do, only legitimizes the laziness, and
continues us along the road of everyone doing the absolute minimum.

Simply accepting the connections seems to be a "path of least resistance"
which befits a pointy-hair more than an engineer.

>--
>I suppose I could set up a bogus reverse for him, but, feh...

Either you set up something, or you can make your server not care about
reverse, or lose the customer.

You neglect to include the option of the customer changing to an ISP
that provides in-addr.

In the referenced message, Daniel Senie said:
>
<snip>
> >Is this common?
>
> I have a CDPD card which has a fixed address. It's from Verizon Wireless.
> There's no INADDR. There seems to be a lack of understanding and clue all
> around on INADDR, which is the motivation for the above-mentioned draft.
> Having something to point network operators and server operators to would,
> IMO, help.

The lack of clue tends to be on the providing in-addr side of things.
I think it is a great thing to refuse connections from ips without
in-addr, in the same way it is great to refuse mail from domains that
don't provide postmaster addresses.

It is a means through which one can influence the laziness of others.
Simply disregarding what others do, only legitimizes the laziness, and
continues us along the road of everyone doing the absolute minimum.

While I believe people SHOULD be providing INADDR service, the people hurt by refusing connections are rarely the ones who have any influence. Just as Network Address Translation is not a security solution, neither is checking INADDR. Now if you check INADDR over Secure DNS, you might start having some level of information to trust.

Simply accepting the connections seems to be a "path of least resistance"
which befits a pointy-hair more than an engineer.

Well, this engineer also has customers to take care of. Those customers cannot easily influence ATT Broadband or ATT Wireless to do things "right". So, I choose to keep having customers rather than closing down my business over others not having INADDR.

> >--
> >I suppose I could set up a bogus reverse for him, but, feh...
>
> Either you set up something, or you can make your server not care about
> reverse, or lose the customer.

You neglect to include the option of the customer changing to an ISP
that provides in-addr.

Please explain how a customer changes to another broadband vendor, or another CDPD vendor. Despite your company's presence in a limited number of markets, there are MANY people out there with only one choice (if they're lucky) for broadband. I'd be more likely to lose a customer than get them to change ISPs.

Thus spake "Stephen Griffin" <stephen.griffin@rcn.com>

The lack of clue tends to be on the providing in-addr side of
things. I think it is a great thing to refuse connections from
ips without in-addr, in the same way it is great to refuse mail
from domains that don't provide postmaster addresses.

On first reading, I thought that was sarcasm. Now I realize you're serious.

It is a means through which one can influence the laziness of
others. Simply disregarding what others do, only legitimizes
the laziness, and continues us along the road of everyone
doing the absolute minimum.
...
You neglect to include the option of the customer changing
to an ISP that provides in-addr.

So, if you ran Amazon.com, you wouldn't accept money from customers of clueless
ISPs?

Sadly, even that level of coercion wouldn't be anywhere near enough to motivate
most ISPs. And your (non-)customers will be caught in the crossfire.

S

Thus spake "Stephen Griffin" <stephen.griffin@rcn.com>
> The lack of clue tends to be on the providing in-addr side of
> things. I think it is a great thing to refuse connections from
> ips without in-addr, in the same way it is great to refuse mail
> from domains that don't provide postmaster addresses.

On first reading, I thought that was sarcasm. Now I realize you're serious.

  I've found that filtering out mail from
people that have no reverse dns tends to typically point to
a) open-relays, b) spam, c) lack of working abuse/postmaster.

> It is a means through which one can influence the laziness of
> others. Simply disregarding what others do, only legitimizes
> the laziness, and continues us along the road of everyone
> doing the absolute minimum.
> ...
> You neglect to include the option of the customer changing
> to an ISP that provides in-addr.

So, if you ran Amazon.com, you wouldn't accept money from customers of clueless
ISPs?

  You can't do it on the store side, but you can do it on the
residental customer side, or at least give those messages a higher
level of attention in any overall spam score for a message.

Sadly, even that level of coercion wouldn't be anywhere near enough to motivate
most ISPs. And your (non-)customers will be caught in the crossfire.

  Anyone that sends e-mail to me from a host/server with no reverse
dns I will not see. It is not rejected w/ 400/500 series code
as I know some people do. it goes to it's own 'spam' folder.

  I have found that some companies (american express) for
example can not seem to make their systems have reverse dns, and
they suffer from the lack of a working postmaster/hostmaster
address too.

  It just means i read that folder once every few days and
periodically send e-mail to people i know that have hit the filter
or other legit folks.

  - jared

And it will continue to work that way.

  That is the quality work of the people who spend many
man-hours putting together such a system that is robust enough
that when i decide that when you send me e-mail (not via a list)
from a host that has no reverse dns, i can easily flag that for
further scrutiny.

  What you are missing here is that, while yes, you can
send e-mail from root@[1.2.3.4] to people, they may say "hmm, e-mail
from an ip address is not typical of the people that i communicate
with", and therefore treat it differntly. just like policy-routing
but for your mailbox.

  it is a good reflection of provider clue(tm). even if they
have rev-192.168.0.1.example.com. as their reverse dns, it's slightly
more responsible (imho) than nothing/nxdomain.

  - jared

[ On Tuesday, June 18, 2002 at 17:29:18 (-0400), Stephen Griffin wrote: ]

Subject: Re: ATTBI refuses to do reverse DNS?

The lack of clue tends to be on the providing in-addr side of things.
I think it is a great thing to refuse connections from ips without
in-addr, in the same way it is great to refuse mail from domains that
don't provide postmaster addresses.

Providing or not providing reverse DNS is not really the central issue
here -- it is whether the reverse DNS is correct, i.e. consistent with
the "forward" hostnames, or not, that really matters. Usually it's
better to have no reverse DNS at all than to have broken reverse DNS. I
agree though it's much better to always have correct reverse DNS!

[ On Tuesday, June 18, 2002 at 17:47:10 (-0400), Daniel Senie wrote: ]

Subject: Re: ATTBI refuses to do reverse DNS?

While I believe people SHOULD be providing INADDR service, the people hurt
by refusing connections are rarely the ones who have any influence.

On the contrary!

The people who are supposedly hurt here are those who ultimately have
the most influence. In the end they can vote with their wallets even if
they can't edit the appropriate zone files directly. (And the whole
idea behind DNS trust really revolves around having two different
parties agree on the mapping, not in simply allowing the user to edit
their own reverse DNS!)

Just as
Network Address Translation is not a security solution, neither is checking
INADDR.

I don't think anyone has said that DNS consistency is a security
solution. You keep confusing these concepts I think. It's only one
tiny part of the picture. Fully consistent DNS only increases the level
of trust you can have in the hostnames used. Since hostnames are
supposed to be more stable than IP addresses, you _want_ to have more
trust in the hostnames, but with current protocols you cannot unless
there is full consistency between forward and reverse lookups.

Now if you check INADDR over Secure DNS, you might start having
some level of information to trust.

We can only hope, but I'll believe it when I see it.

[ On Tuesday, June 18, 2002 at 16:54:54 (-0500), Stephen Sprunk wrote: ]

Subject: Re: ATTBI refuses to do reverse DNS?

So, if you ran Amazon.com, you wouldn't accept money from customers of
clueless ISPs?

Luckily Amazon.com and sites like it, and more importantly their
customers, have the assurance of credit card banks to back up their
transactions -- they don't really need any of this pesky Internet
security B.S. to secure their transactions.

Once again, thanks for imposing your conveniences on me, and for
ARBITRARILY _breaking the network_ when I choose not to participate. It
is arbitrary because you and I both know there is no technical reason to
discriminate against non-named hosts.

  Actually there is.

  statistically speaking these hosts tend to be less well
maintained and more likely the source of spam, amongst other things.

  This is only used on smtp here. It's not like i'm running
a dynamic bgp feed that injects a /32 null0 route for someone who
has no reverse dns.

  This method was not reached arbitrarily. after many years
of "hey, this host is an open-relay", attempting to contact
the rfc2142 prescribed contacts as well as those
stored at arin/ripe/apnic to resolve the issue. These people are
either real rogue hosts, or people that don't understand why they need
such fancy services as dns. I seriously think this has to do with
clue dilution and the "diameter of the internet thread" as with the
treatment of the internet as a comodity as it has become, there are
less incentives to get it right rather than get the service on to bill
the customer.

  There are some days I wish it was (yes, there were others, but..)
back to the original few (ANS, uunet, SprintLink, internetMCI) as one
could expect a particular level of service and competence out of ones
provider.

  As for the original issue, i encourage ATTBI (as well as all
providers) to provide some sort of reverse dns for their netblocks
be it unknown.level3.net, or 1-2-3-4.rev.example.com.

  - Jared

If the people who "vote with their wallets" here are the ATTBI customers, don't
forget that if you're not served by DSL, cable broadband is really the only
good option for broadband access (I'm not counting satellite, with >1s ping
times, or wireless, which is still in its infancy as a residential solution).
And rarely will you find a home anywhere in the US served by more than one
cable company.

Makes it kinda kard to vote with your wallet when the vendor has de facto
monopoly power.

-C

[ On Wednesday, June 19, 2002 at 10:38:13 (-0400), Chris Woodfield wrote: ]

Subject: Re: ATTBI refuses to do reverse DNS?

If the people who "vote with their wallets" here are the ATTBI customers, don't
forget that if you're not served by DSL, cable broadband is really the only
good option for broadband access (I'm not counting satellite, with >1s ping
times, or wireless, which is still in its infancy as a residential solution).

Sounds like an opportunity for some competing provider if you ask me,
though as you say:

And rarely will you find a home anywhere in the US served by more than one
cable company.

Was there not once upon a time there was a proposal to require cable-cos
to provide what would effectively be layer-2 service to any IP provider?

I think that requirement still stands in Canada, but until newer
standards-compliant cable modems become more common it's "hard" to do
and so nobody's doing it yet (and there is some whining on both sides).

Our local cable provider pitched an MPLS-based VPN service to us
yesterday. Basicly, they would group, by the MAC of the DOCSIS-compliant
cable modem, our remote users into a common Layer-2 bucket and tunnel them
directly to us, where we would handle DHCP handouts for the PCs and
routing.

Of course, they then told it it was probably a year away and our interest
sagged significantly.

Time Warner agreed to do so as a condition of the AOL merger. Most other cable
companies are fighting this tooth and nail, and winning (see AT&T in Portland,
Oregon).

-C

Time Warner agreed to do so as a condition of the AOL merger. Most other cable
companies are fighting this tooth and nail, and winning (see AT&T in Portland,
Oregon).

And in doing it, so far they seem to only be allowing the likes of Earthlink, not smaller providers. If anyone's got news to the contrary, I'd sure like to hear it.

Time Warner agreed to do so as a condition of the AOL merger. Most other
cable
companies are fighting this tooth and nail, and winning (see AT&T in
Portland,
Oregon).

And in doing it, so far they seem to only be allowing the likes of
Earthlink, not smaller providers. If anyone's got news to the contrary, I'd
sure like to hear it.

AOL/TW has authorized a smaller ISP (around 20,000 subscribers) in our
area (central Wisconsin) to offer service over their cable network.
Last I heard they were planning on a September start date.

I couldn't resist jumping in here....

<lame_cable_customer>
Why should I spend more money on DSL when 1.5M/300K Cable
access is just $39/month? As an end user, surfing the web
and using kazza, show me the value in paying more for rDNS.
</lame_cable_customer>

-Jim P.

From: Chris Woodfield

If the people who "vote with their wallets" here are the ATTBI customers,

don't

forget that if you're not served by DSL, cable broadband is really the

only

good option for broadband access (I'm not counting satellite, with >1s

ping

times, or wireless, which is still in its infancy as a residential

solution).