Date: Wed, 10 Mar 2021 08:01:02 +0000 From: bugzilla-noreply@freebsd.org To: standards@FreeBSD.org Subject: [Bug 248102] [local_unbound] default config file violates RFC Message-ID: <bug-248102-99-VRt3paWCyR@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-248102-99@https.bugs.freebsd.org/bugzilla/> References: <bug-248102-99@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248102 --- Comment #3 from Walter von Entferndt <walter.von.entferndt@posteo.net> = --- (In reply to Rodney W. Grimes from comment #2) I had dark memory that the meaning/usage in RFCs of these terms is non- intuitive, so I looked it up in RFC 2119 - it matches common sense: 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. 4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. OK now for RFC 1918: Section 5. Operational Considerations [page 6]: If an enterprise uses the private address space, or a mix of private and public address spaces, then DNS clients outside of the enterprise *should* *not* see addresses in the private address space used by the enterprise, since these addresses would be ambiguous. One way to ensure this is to run two authority servers for each DNS zone containing both publically and privately addressed hosts. One server would be visible from the public address space and would contain only the subset of the enterprise's addresses which were reachable using public addresses. The other server would be reachable only from the private network and would contain the full set of data, including the private addresses and whatever public addresses are reachable the private network. In order to ensure consistency, both servers should be configured from the same data of which the publically visible zone only contains a filtered version. There is certain degree of additional complexity associated with providing these capabilities. Conclusio: Since the network expert wizzard who shipped that non- conformant default config can not know in advance about the /particular circumstances/ of an arbitrary random network setup running a local_unbound instance, s/he may please explain how s/he was able to RFC 2119 topic 4. *SHOULD* *NOT*: /the full implications should be understood and carefully weighed/. Soothsaying? Sorcery? Do we ship magic cristal balls? How can s/he weight what s/he doesn't know? Ah, sorry, that's what risk managers do. Is s/he? Yes, /there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but/ please - not by default. D'accord? PS Should we forward this to the dns/unbound port, I guess it's also affected, and s/he/they send the issue upstream? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248102-99-VRt3paWCyR>