Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Aug 2006 11:55:15 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Brooks Davis <brooks@one-eyed-alien.net>
Cc:        freebsd-net@freebsd.org, Pat Lashley <patl@volant.org>, Fredrik Lindberg <fli+freebsd-net@shapeshifter.se>
Subject:   Re: Zeroconfig and Multicast DNS
Message-ID:  <44EDF613.8080605@FreeBSD.org>
In-Reply-To: <20060824184228.GC37561@lor.one-eyed-alien.net>
References:  <3E654CC0217F90E20FCD806E@garrett.local> <44EC90B7.6090908@shapeshifter.se> <44ECB0F2.9040300@FreeBSD.org> <44ECBB61.9020808@shapeshifter.se> <5D7785ADC030FEBFB9A5E69D@garrett.local> <44ED8266.1060303@shapeshifter.se> <7C6CDF1CB0BC58A6ADE1FCA8@garrett.local> <44EDCEC2.7060109@shapeshifter.se> <93381966E13B960D4ACFF05C@garrett.local> <44EDF116.9050106@shapeshifter.se> <20060824184228.GC37561@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Brooks Davis wrote:
> On Thu, Aug 24, 2006 at 08:33:58PM +0200, Fredrik Lindberg wrote:

>> The nsswitch.conf should IHMO be :files dns mdns, and the mdns nss
>> module should ship with a default to only allow queries to
>>   .local
>>   .168.254.in-addr.arpa
>>   .168.192.in-addr.arpa
>>   .16.172.in-addr.arpa-31.172.in-addr.arpa
>>   .10.in-addr.arpa
>>
>> And whatever set of IPs that are assign as link/site-local for IPv6,
>> I don't remember them at the moment.
>> However it should be possible for a user to add whatever TLD he/she
>> wants or disable the restriction all together. But the default should
>> be restricted to prevent name spoofs.
> 
> Agreed.  In most environments a spoof will still be possible, but it
> would be harder and would require traffic that is detectable by a good
> IDS.

Me too. :)  The chief objection to mDNS (and other p2p types of dns
services) is the possibility of making it easier to hijack "real" websites.
I do not object (off hand) to a mechanism to define additional hostnames to
announce other than your own, but I think that we should do something like
unconditionally append .local to them to make sure that we're not creating a
bigger problem than we're solving.

Doug

-- 

    This .signature sanitized for your protection

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44EDF613.8080605>