> >     Yes, and I know why the restriction is in RFC 1884 and it
> >     is a reasonable restriction.
>       I don't think so,

        Are you saying we should source packets from the anycast address?
        If not you should quote better.

>       IP source address is easy to forge and it does not
>       add any meaning protection.  DNSSEC is the only way if you want trusted
>       responsees.  therefore, i agree with enabling RES_INSECURE1 by default.
> itojun

        Source addresses can be used to seperate multiple queries with the
        same query id.  While the stub resolver rarely needs to do this
        a nameserver will to this all the time.  Enabling RES_INSECURE1
        just hides the real problem that IPv6 anycast is broken,
        encourages broken nameserver implementations and leaves you with
        the situation where the tools using stub resolver "work" but
        the nameserver doesn't.

Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to