--On 18 November 2007 14:29:48 +0100 Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
* -01 says "TBD: Do we need to talk about stub resolvers? Does this draft apply to them?" I believe that the answer is yes. A typical stub resolver cannot receive unexpected answers (it typically does not listen for ever on the network) but it still can be fooled when listening for a reply. In addition, a typical stub resolver should listen only to the answers coming from the nameservers listed in its configuration (/etc/resolv.conf on Unix) but I'm not sure they all do and, anyway, it is not sufficient, the other countermeasures mentioned in section 9 all apply.And about this issue? Everybody agrees?
Yes, though I am not sure the "In addition" bit adds anything. Either it means it should only listen to answers with the IP source address of those nameservers (which I am pretty sure is taken care of in the normal rules for any query originating host unless I am missing something), or it means they should somehow be able to determine whether the answers /actually/ come from those nameservers and are thus not spoofed (which is not possible). Alex -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>