From owner-freebsd-net  Sun Sep 22 22: 1:29 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 18F7737B401
	for <freebsd-net@FreeBSD.ORG>; Sun, 22 Sep 2002 22:01:28 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D9E0E43E42
	for <freebsd-net@FreeBSD.ORG>; Sun, 22 Sep 2002 22:01:26 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g8N51PB5078220;
	Mon, 23 Sep 2002 15:01:25 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200209230501.g8N51PB5078220@drugs.dv.isc.org>
To: itojun@iijlab.net
Cc: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp>,
	Lista <freebsd-net@FreeBSD.ORG>,
	"(Lista) bind9-users@isc.org" <bind9-users@isc.org>
From: Mark.Andrews@isc.org
Subject: Re: RES_INSECURE and CHECK_SRVR_ADDR in resolver functions (IPv6 anycast response problem) 
In-reply-to: Your message of "Mon, 23 Sep 2002 12:50:03 +0900."
             <20020923035004.F1D0A4B24@coconut.itojun.org> 
Date: Mon, 23 Sep 2002 15:01:25 +1000
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


> >	Yes, and I know why the restriction is in RFC 1884 and it
> >	is a reasonable restriction.
> 
> 	I don't think so,

	Are you saying we should source packets from the anycast address?
	If not you should quote better.

>	IP source address is easy to forge and it does not
> 	add any meaning protection.  DNSSEC is the only way if you want trusted
> 	responsees.  therefore, i agree with enabling RES_INSECURE1 by default.
> 
> itojun

	Source addresses can be used to seperate multiple queries with the
	same query id.  While the stub resolver rarely needs to do this
	a nameserver will to this all the time.  Enabling RES_INSECURE1
	just hides the real problem that IPv6 anycast is broken,
	encourages broken nameserver implementations and leaves you with
	the situation where the tools using stub resolver "work" but
	the nameserver doesn't.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message