Date: Mon, 14 Dec 1998 22:41:52 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Peter Wemm <peter@netplex.com.au> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, committers@FreeBSD.ORG Subject: Re: Bind sandbox bogosity Message-ID: <199812150641.WAA51995@apollo.backplane.com> References: <199812150629.OAA03361@spinner.netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:The interface scanning is necessary, because the DNS replies *must* come
:from the same IP address as the query was sent to. With a multihomed
:host, replying from the nearest return interface is not allowed.
:
:For a static machine, this isn't a problem. For a machine with dynamic
:interface changes (eg: PPP links) it is a big thing. Of course, being
:able to control which addresses the queries got sent to would be an
:alternative.. Or not running named at all on such boxes.
:
:Cheers,
:-Peter
This is true, and works in the sandbox. What doesn't work is the case
where an interface is brought down are given a new address.
Sigh. I'm not rabid about keeping bind in the sandbox but, damn it,
it sure would be nice if we could ship a reasonably secure system. Lets
stick with it a while longer and rip it out prior to the 3.0.1 release
if it looks like it will be too much of a liability.
-Matt
Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet
Communications & God knows what else.
<dillon@backplane.com> (Please include original email in any response)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812150641.WAA51995>