--===============0121304643== Content-Type: multipart/signed; boundary="nextPart1447555.mo2YFFvqu2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1447555.mo2YFFvqu2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Jason Keirstead wrote: >On Tuesday 25 January 2005 4:43 pm, Thiago Macieira wrote: >> Because it was easier to implement it this way. And we're safeguarding >> ourselves: their DNS servers are buggy, so we won't even try talk to >> them. Who knows what other bugs they have... > >Safeguarding against what? An improper lookup? We are already returning >nothing, can't get much more improper than that. I can't disagree.=20 Unfortunately for us, DNS is very, very often misconfigured. Nothing=20 serious in most occasions. Just take a look at the syslog generated by=20 named under a decent traffic. Notice the number of "lame nameserver"=20 lines it logs. I consider dropping packets rude. It's as serious as dropping a TCP SYN=20 packet. And, as I said, it was easier to implement it this way. When I have time=20 again, I'll see about adding a second blacklist. >> Also note that if any program in a network tries an AAAA lookup for a >> buggy name, it could poison that name for everyone using the same >> nameserver. There's nothing we can do about it. > >Exactly - there is nothing we can do about it. Why should we be > concerned with their name server software? If it is corrupting their > AAAA records, that is their problem. But, we can do our best to try to > resolve the name for the user. Sorry, I wasn't clear enough. I was referring to another similar but=20 unrelated bug. I meant that if the AAAA (IPv6) lookup is answered with=20 NXDOMAIN, the *whole* name will be poisoned. Even for A (IPv4) lookups. But, since that's a rather serious bug, it appears to have been corrected=20 on most cases. The most famous example was bbc.co.uk a few years back. >> Only if you disable IPv6 completely in your machine. > >I don't even have it compiled in my kernel. Never have. Likely never > will. I wouldn't be so sure. > Not replying. But I almost did. :-) =2D-=20 Thiago Macieira - thiago (AT) macieira (DOT) info PGP/GPG: 0x6EF45358; fingerprint: E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358 1. On frumscafte, hwonne time_t w=E6s n=E1ht, se scieppend =FEone circolwyr= de=20 wundorcr=E6ftl=EDge cennede and seo eor=F0e w=E6s idel and hit w=E6s g=F3d. --nextPart1447555.mo2YFFvqu2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQBB9wSWM/XwBW70U1gRAi+MAJ9+Of8dWECl7gpal32XgHQ53T/xIACgoxGU IXWVZ5iralu5/w80PMp5gpU= =35b0 -----END PGP SIGNATURE----- --nextPart1447555.mo2YFFvqu2-- --===============0121304643== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << --===============0121304643==--