From owner-freebsd-net@FreeBSD.ORG Thu Aug 24 18:55:18 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C936916A4DA for ; Thu, 24 Aug 2006 18:55:18 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.FreeBSD.org (Postfix) with SMTP id EB1C743D45 for ; Thu, 24 Aug 2006 18:55:17 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 24420 invoked by uid 399); 24 Aug 2006 18:55:17 -0000 Received: from localhost (HELO ?192.168.0.3?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 24 Aug 2006 18:55:17 -0000 Message-ID: <44EDF613.8080605@FreeBSD.org> Date: Thu, 24 Aug 2006 11:55:15 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.5 (X11/20060729) MIME-Version: 1.0 To: Brooks Davis References: <3E654CC0217F90E20FCD806E@garrett.local> <44EC90B7.6090908@shapeshifter.se> <44ECB0F2.9040300@FreeBSD.org> <44ECBB61.9020808@shapeshifter.se> <5D7785ADC030FEBFB9A5E69D@garrett.local> <44ED8266.1060303@shapeshifter.se> <7C6CDF1CB0BC58A6ADE1FCA8@garrett.local> <44EDCEC2.7060109@shapeshifter.se> <93381966E13B960D4ACFF05C@garrett.local> <44EDF116.9050106@shapeshifter.se> <20060824184228.GC37561@lor.one-eyed-alien.net> In-Reply-To: <20060824184228.GC37561@lor.one-eyed-alien.net> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Pat Lashley , Fredrik Lindberg Subject: Re: Zeroconfig and Multicast DNS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 18:55:18 -0000 Brooks Davis wrote: > On Thu, Aug 24, 2006 at 08:33:58PM +0200, Fredrik Lindberg wrote: >> The nsswitch.conf should IHMO be :files dns mdns, and the mdns nss >> module should ship with a default to only allow queries to >> .local >> .168.254.in-addr.arpa >> .168.192.in-addr.arpa >> .16.172.in-addr.arpa-31.172.in-addr.arpa >> .10.in-addr.arpa >> >> And whatever set of IPs that are assign as link/site-local for IPv6, >> I don't remember them at the moment. >> However it should be possible for a user to add whatever TLD he/she >> wants or disable the restriction all together. But the default should >> be restricted to prevent name spoofs. > > Agreed. In most environments a spoof will still be possible, but it > would be harder and would require traffic that is detectable by a good > IDS. Me too. :) The chief objection to mDNS (and other p2p types of dns services) is the possibility of making it easier to hijack "real" websites. I do not object (off hand) to a mechanism to define additional hostnames to announce other than your own, but I think that we should do something like unconditionally append .local to them to make sure that we're not creating a bigger problem than we're solving. Doug -- This .signature sanitized for your protection