From owner-freebsd-net@FreeBSD.ORG Thu Aug 24 22:05:46 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 562FA16A4DA for ; Thu, 24 Aug 2006 22:05:46 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB06C43D64 for ; Thu, 24 Aug 2006 22:05:37 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin03-en2 [10.13.10.148]) by smtpout.mac.com (Xserve/8.12.11/smtpout07/MantshX 4.0) with ESMTP id k7OM5WBx016640; Thu, 24 Aug 2006 15:05:32 -0700 (PDT) Received: from [17.214.14.142] (a17-214-14-142.apple.com [17.214.14.142]) (authenticated bits=0) by mac.com (Xserve/smtpin03/MantshX 4.0) with ESMTP id k7OM5Pc0016085; Thu, 24 Aug 2006 15:05:30 -0700 (PDT) In-Reply-To: <44EE1E48.6000006@shapeshifter.se> References: <44EE1E48.6000006@shapeshifter.se> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Thu, 24 Aug 2006 15:05:24 -0700 To: Fredrik Lindberg X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAQAAA+k= X-Language-Identified: TRUE Cc: freebsd-net@freebsd.org Subject: Re: Zeroconfig and Multicast DNS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Aug 2006 22:05:46 -0000 On Aug 24, 2006, at 2:46 PM, Fredrik Lindberg wrote: >>> The nsswitch.conf should IHMO be :files dns mdns, >>> and the mdns nss module should ship with a default to only allow >>> queries to >>> .local >>> .168.254.in-addr.arpa >> I think you meant .254.168.in-addr.arpa here. > > Actually .254.169.in-addr.arpa :) Queries to 254.169.in-addr.arpa MUST return NXDOMAIN (or RCODE 3, to choose a non-BIND specific term). See RFC-3927, section 1.4: To preclude use of IPv4 Link-Local addresses in off-link communication, the following cautionary measures are advised: a. IPv4 Link-Local addresses MUST NOT be configured in the DNS. Mapping from IPv4 addresses to host names is conventionally done by issuing DNS queries for names of the form, "x.x.x.x.in-addr.arpa." When used for link-local addresses, which have significance only on the local link, it is inappropriate to send such DNS queries beyond the local link. DNS clients MUST NOT send DNS queries for any name that falls within the "254.169.in-addr.arpa." domain. DNS recursive name servers receiving queries from non-compliant clients for names within the "254.169.in-addr.arpa." domain MUST by default return RCODE 3, authoritatively asserting that no such name exists in the Domain Name System. b. Names that are globally resolvable to routable addresses should be used within applications whenever they are available. Names that are resolvable only on the local link (such as through use of protocols such as Link Local Multicast Name Resolution [LLMNR]) MUST NOT be used in off-link communication. IPv4 addresses and names that can only be resolved on the local link SHOULD NOT be forwarded beyond the local link. IPv4 Link-Local addresses SHOULD only be sent when a Link-Local address is used as the source and/or destination address. This strong advice should hinder limited scope addresses and names from leaving the context in which they apply. -- -Chuck