X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;ds=sidebyside;f=INSTALL;h=d8e07592448461b8bf5d4a2af1d909da201b76c3;hb=fb901bf5198d9d29014068dcd8a29c72d90f5eac;hp=2b3338f483ebfc5fb52d918af6bcaafe535da2b6;hpb=d0bed3988cd6205b8e347b963316fac03ef799a9;p=adns.git

diff --git a/INSTALL b/INSTALL
index 2b3338f..d8e0759 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,5 +1,8 @@
 INSTALLATION INSTRUCTIONS for ADNS
 
+1. Read the security note below.
+
+2. Standard GNU package build process:
    $ ./configure
    $ make
    # make install
@@ -29,10 +32,32 @@ perform badly.
 You will probably find that GNU Make is required.
 
 
+SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
+
+adns is not a full-service resolver.  It does no caching of responses
+at all, and has no defence against bad nameservers or fake packets
+which appear to come from your real nameservers.  It relies on the
+full-service resolvers listed in resolv.conf to handle these tasks.
+
+For secure and reasonable operation you MUST run a full-service
+nameserver on the same system as your adns applications, or on the
+same local, fully trusted network.  You MUST only list such
+nameservers in the adns configuration (eg resolv.conf).
+
+You MUST use a firewall or other means to block packets which appear
+to come from these nameservers, but which were actually sent by other,
+untrusted, entities.
+
+Furthermore, adns is not DNSSEC-aware in this version; it doesn't
+understand even how to ask a DNSSEC-aware nameserver to perform the
+DNSSEC cryptographic signature checking.
+
+
 COPYRIGHT
 
 This file, INSTALL, contains installation instructions and other
-details for adns.
+details for adns.  It is
+ Copyright (C) 1997-2000 Ian Jackson <ian@davenant.greenend.org.uk>
 
 adns is
  Copyright (C) 1997-2000 Ian Jackson <ian@davenant.greenend.org.uk>