New ZeroConf Spec

Scott Dier dieman at ringworld.org
Thu Jul 27 22:45:47 BST 2006


David Balazic wrote:
> Dick Davies wrote :
> 
>  > On 27/07/06, David Balazic <david.balazic at hermes.si> wrote:
>  >
>  > > Is it possible at all to forge an IP for a hostname over mDNS ?
>  > >
>  > >  Like www.ubuntu.com -> 10.2.3.4 ?
>  >
>  > No. But the fact you've used the word 'forge' makes me think you're
>  > not getting the whole mDNS idea.
> 
> No, I just wanted to clarify, whether the fear, that
> mDNS installed could "falsify" host addresses is based on
> fact or fiction.
> Seems the latter, based on answers posted.

Well, if someone goes off and puts in .local as one the searchable 
domains, imagine if a nameserver didn't respond for www.ubuntu.com, but 
a mdns responder responded for www.ubuntu.com.local? (is this possible?)

Can a similar thing happen for www.local?  ie: someone just puts in www 
and ends up with some random webserver a party configured its name as www?

http://0pointer.de/lennart/projects/nss-mdns/#documentation
---
libnss_mdns{4,6,}_minimal.so (new in version 0.8) is mostly identical to 
the versions without _minimal. However, they differ in one way. The 
minimal versions will always deny to resolve host names that don't end 
in .local or addresses that aren't in the range 169.254.x.x (the range 
used by IPV4LL/APIPA/RFC3927.) Combining the _minimal and the normal NSS 
modules allows us to make mDNS authoritative for Zeroconf host names and 
addresses (and thus creating no extra burden on DNS servers with always 
failing requests) and use it as fallback for everything else.
---

I wouldn't feel too bad about *only* using the minimal module if it were 
adjusted to only allow .local and addresses for locally routable 
networks (ie, no gateway required based on routes).  I don't think 
allowing mdns to respond with anything but .local addresses is prudent. 
(if it were to be included at all)

there isn't a good way to tell if your dns server is misconfigured, 
missing, down, out to lunch, not resolving correctly, etc that allowing 
mdns as the fallback is not a good idea.

-- 
Scott Dier <dieman at ringworld.org>



More information about the ubuntu-devel mailing list