From owner-freebsd-net  Sun Sep 22 21:29:10 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5538C37B401
	for <freebsd-net@FreeBSD.ORG>; Sun, 22 Sep 2002 21:29:09 -0700 (PDT)
Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4CD1943E65
	for <freebsd-net@FreeBSD.ORG>; Sun, 22 Sep 2002 21:29:08 -0700 (PDT)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from localhost ([3ffe:501:100f:f::6])
	by shuttle.wide.toshiba.co.jp (8.11.6/8.9.1) with ESMTP id g8N4SMt76823;
	Mon, 23 Sep 2002 13:28:31 +0900 (JST)
Date: Mon, 23 Sep 2002 13:28:48 +0900
Message-ID: <y7vheghcosf.wl@ocean.jinmei.org>
From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp>
To: Jun-ichiro itojun Hagino <itojun@itojun.org>
Cc: Mark_Andrews@isc.org,
	Juan Francisco Rodriguez Hervella <jrh@it.uc3m.es.v6.isl.rdc.toshiba.co.jp>,
	Lista <freebsd-net@FreeBSD.ORG>,
	"(Lista) bind9-users@isc.org" <bind9-users@isc.org>
Subject: Re: RES_INSECURE and CHECK_SRVR_ADDR in resolver functions (IPv6
 anycast response problem) 
In-Reply-To: <20020923035435.657EA4B26@coconut.itojun.org>
User-Agent: Wanderlust/2.6.1 (Upside Down) Emacs/21.2 Mule/5.0 (SAKAKI)
Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan.
References: <20020923035435.657EA4B26@coconut.itojun.org>
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
X-Dispatcher: imput version 20000228(IM140)
Lines: 19
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

>>>>> On Mon, 23 Sep 2002 12:54:35 +0900, 
>>>>> Jun-ichiro itojun Hagino <itojun@itojun.org> said:

>> Yes, and I know why the restriction is in RFC 1884 and it
>> is a reasonable restriction.

> 	I don't think so, IP source address is easy to forge and it does not
> 	add any meaning protection.  DNSSEC is the only way if you want trusted
> 	responsees.  therefore, i agree with enabling RES_INSECURE1 by default.

Please let me check.  Mark said the restriction was reasonable, and he
didn't say checking the source address of a DNS response provide
better security.  In my understanding his main opinion is effects and
compatibility against existing applications.

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message