New ZeroConf Spec
Scott Dier
dieman at ringworld.org
Thu Jul 27 22:45:47 BST 2006
David Balazic wrote:
> Dick Davies wrote :
>
> > On 27/07/06, David Balazic <david.balazic at hermes.si> wrote:
> >
> > > Is it possible at all to forge an IP for a hostname over mDNS ?
> > >
> > > Like www.ubuntu.com -> 10.2.3.4 ?
> >
> > No. But the fact you've used the word 'forge' makes me think you're
> > not getting the whole mDNS idea.
>
> No, I just wanted to clarify, whether the fear, that
> mDNS installed could "falsify" host addresses is based on
> fact or fiction.
> Seems the latter, based on answers posted.
Well, if someone goes off and puts in .local as one the searchable
domains, imagine if a nameserver didn't respond for www.ubuntu.com, but
a mdns responder responded for www.ubuntu.com.local? (is this possible?)
Can a similar thing happen for www.local? ie: someone just puts in www
and ends up with some random webserver a party configured its name as www?
http://0pointer.de/lennart/projects/nss-mdns/#documentation
---
libnss_mdns{4,6,}_minimal.so (new in version 0.8) is mostly identical to
the versions without _minimal. However, they differ in one way. The
minimal versions will always deny to resolve host names that don't end
in .local or addresses that aren't in the range 169.254.x.x (the range
used by IPV4LL/APIPA/RFC3927.) Combining the _minimal and the normal NSS
modules allows us to make mDNS authoritative for Zeroconf host names and
addresses (and thus creating no extra burden on DNS servers with always
failing requests) and use it as fallback for everything else.
---
I wouldn't feel too bad about *only* using the minimal module if it were
adjusted to only allow .local and addresses for locally routable
networks (ie, no gateway required based on routes). I don't think
allowing mdns to respond with anything but .local addresses is prudent.
(if it were to be included at all)
there isn't a good way to tell if your dns server is misconfigured,
missing, down, out to lunch, not resolving correctly, etc that allowing
mdns as the fallback is not a good idea.
--
Scott Dier <dieman at ringworld.org>
More information about the ubuntu-devel
mailing list