[email protected] wrote: > I have to admit one thing I have not really understood is why the level of > concern here is so deep. > > If I now have e.g. multihomed Linux, often or usually the /etc/resolv.conf > points to the DNS server address learned most recently via some mean (RA, > DHCPv6). But people are not too worried what is the content of that file? > I.e. attacker could just send new RA with DNS server address option and cause > problems by drawing DNS traffic to that server?
A rogue DHCPv6 server can add entries to that file, but can't delete them. Thus, it's possible for a bad DHCPv6 server to make life annoying for a client, but (at least for DNS) it can't prevent the client from eventually working. The option (as described in this draft) effectively "deletes" addresses from the list, by associating each address with a list of domains. Having that list present for a given server but with no domain match means no query will be sent to that server (or only "inappropriate" queries sent) -- as though it were removed. The shotgun approach you suggested in another reply may well fix that problem, but isn't in the current draft. Anyway, I don't seem to be making a great deal of headway, and I've certainly got other things to do. So, I've said my piece. Drive on. -- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
