New ZeroConf Spec

Micah J. Cowan micah at
Sun Jul 23 03:51:05 BST 2006

On Sat, Jul 22, 2006 at 03:43:21PM -0700, Dan Kegel wrote:
> On 7/22/06, Andrew Jorgensen <andrew.jorgensen at> wrote:
> > > Exactly my point: Avahi over SSL with some keys-based security layer
> > > would make me feel a lot more comfortable.
> > ...
> > Some kind of shared key might be nice if you wanted a little extra
> > security but when you start talking about that you're really talking
> > about redesigning mDNS so that it's something other than what it is.
> Not if you use IPSec to do the security.
> > That discussion doesn't belong here and doesn't help figure out what
> > to do for Edgy.
> It bloody well does.  If turning on IPSec is (part of) the only way to make
> mDNS safe, then we should either discuss how to do the needed
> IPSec setup painlessly, or we should not deploy mDNS.

I can't remember if I ended up sending that email or not, but if I did,
I'll repeat myself... the mDNS spec itself /specifically/ recommends
(insists, actually) that you use either IPSec or DNSSec if you plan to
use it on a network where not all the computers are "friendlies",
implicitly trusted.

mDNS is intended for LANs. If you're using it on a trusted LAN, you can
feel free not to set up IPsec. If you're using it on anything else, it's
the smart thing to do, even if it does mean setting up one configuration

Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...

More information about the ubuntu-devel mailing list