Date: Mon, 23 Sep 2002 13:28:48 +0900 From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp> To: Jun-ichiro itojun Hagino <itojun@itojun.org> Cc: Mark_Andrews@isc.org, Juan Francisco Rodriguez Hervella <jrh@it.uc3m.es.v6.isl.rdc.toshiba.co.jp>, Lista <freebsd-net@FreeBSD.ORG>, "(Lista) bind9-users@isc.org" <bind9-users@isc.org> Subject: Re: RES_INSECURE and CHECK_SRVR_ADDR in resolver functions (IPv6 anycast response problem) Message-ID: <y7vheghcosf.wl@ocean.jinmei.org> In-Reply-To: <20020923035435.657EA4B26@coconut.itojun.org> References: <20020923035435.657EA4B26@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> On Mon, 23 Sep 2002 12:54:35 +0900, >>>>> Jun-ichiro itojun Hagino <itojun@itojun.org> said: >> Yes, and I know why the restriction is in RFC 1884 and it >> is a reasonable restriction. > I don't think so, IP source address is easy to forge and it does not > add any meaning protection. DNSSEC is the only way if you want trusted > responsees. therefore, i agree with enabling RES_INSECURE1 by default. Please let me check. Mark said the restriction was reasonable, and he didn't say checking the source address of a DNS response provide better security. In my understanding his main opinion is effects and compatibility against existing applications. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?y7vheghcosf.wl>