From owner-freebsd-net Sun Sep 22 21:52:48 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE74937B401 for ; Sun, 22 Sep 2002 21:52:47 -0700 (PDT) Received: from coconut.itojun.org (coconut.itojun.org [219.101.47.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 341D543E3B for ; Sun, 22 Sep 2002 21:52:47 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id 9EBE34B28; Mon, 23 Sep 2002 13:52:45 +0900 (JST) To: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= Cc: Lista , "(Lista) bind9-users@isc.org" In-reply-to: jinmei's message of Mon, 23 Sep 2002 13:28:48 +0900. X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: RES_INSECURE and CHECK_SRVR_ADDR in resolver functions (IPv6 anycast response problem) Date: Mon, 23 Sep 2002 13:52:45 +0900 From: Jun-ichiro itojun Hagino Message-Id: <20020923045245.9EBE34B28@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>> Yes, and I know why the restriction is in RFC 1884 and it >>> is a reasonable restriction. >> I don't think so, IP source address is easy to forge and it does not >> add any meaning protection. DNSSEC is the only way if you want trusted >> responsees. therefore, i agree with enabling RES_INSECURE1 by default. > >Please let me check. Mark said the restriction was reasonable, and he >didn't say checking the source address of a DNS response provide >better security. In my understanding his main opinion is effects and >compatibility against existing applications. correct. i've quoted the wrong portion. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message