Date: Mon, 23 Sep 2002 13:52:45 +0900 From: Jun-ichiro itojun Hagino <itojun@itojun.org> To: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp> Cc: Lista <freebsd-net@FreeBSD.ORG>, "(Lista) bind9-users@isc.org" <bind9-users@isc.org> Subject: Re: RES_INSECURE and CHECK_SRVR_ADDR in resolver functions (IPv6 anycast response problem) Message-ID: <20020923045245.9EBE34B28@coconut.itojun.org> In-Reply-To: jinmei's message of Mon, 23 Sep 2002 13:28:48 %2B0900. <y7vheghcosf.wl@ocean.jinmei.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> Yes, and I know why the restriction is in RFC 1884 and it >>> is a reasonable restriction. >> I don't think so, IP source address is easy to forge and it does not >> add any meaning protection. DNSSEC is the only way if you want trusted >> responsees. therefore, i agree with enabling RES_INSECURE1 by default. > >Please let me check. Mark said the restriction was reasonable, and he >didn't say checking the source address of a DNS response provide >better security. In my understanding his main opinion is effects and >compatibility against existing applications. correct. i've quoted the wrong portion. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020923045245.9EBE34B28>