Brooks Davis wrote:
> On Thu, Aug 24, 2006 at 08:33:58PM +0200, Fredrik Lindberg wrote:
>> The nsswitch.conf should IHMO be :files dns mdns, and the mdns nss
>> module should ship with a default to only allow queries to
>> .local
>> .168.254.in-addr.arpa
>> .168.192.in-addr.arpa
>> .16.172.in-addr.arpa-31.172.in-addr.arpa
>> .10.in-addr.arpa
>>
>> And whatever set of IPs that are assign as link/site-local for IPv6,
>> I don't remember them at the moment.
>> However it should be possible for a user to add whatever TLD he/she
>> wants or disable the restriction all together. But the default should
>> be restricted to prevent name spoofs.
>
> Agreed. In most environments a spoof will still be possible, but it
> would be harder and would require traffic that is detectable by a good
> IDS.
Me too. :) The chief objection to mDNS (and other p2p types of dns
services) is the possibility of making it easier to hijack "real" websites.
I do not object (off hand) to a mechanism to define additional hostnames to
announce other than your own, but I think that we should do something like
unconditionally append .local to them to make sure that we're not creating a
bigger problem than we're solving.
Doug
--
This .signature sanitized for your protection
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
