+ * Fixed infrequent race causing assertion failure in adns__tcp_broken

[adns.git] / INSTALL

diff --git a/INSTALL b/INSTALL
index 2b3338f483ebfc5fb52d918af6bcaafe535da2b6..45bb1e371ed77aea1aae0790c3a6d80ad3ffc927 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -1,5 +1,8 @@
 INSTALLATION INSTRUCTIONS for ADNS
 
+1. Read the security note below.
+
+2. Standard GNU package build process:
    $ ./configure
    $ make
    # make install
@@ -29,6 +32,27 @@ perform badly.
 You will probably find that GNU Make is required.
 
 
+SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
+
+adns is not a full-service resolver.  It does no caching of responses
+at all, and has no defence against bad nameservers or fake packets
+which appear to come from your real nameservers.  It relies on the
+full-service resolvers listed in resolv.conf to handle these tasks.
+
+For secure and reasonable operation you MUST run a full-service
+nameserver on the same system as your adns applications, or on the
+same local, fully trusted network.  You MUST only list such
+nameservers in the adns configuration (eg resolv.conf).
+
+You MUST use a firewall or other means to block packets which appear
+to come from these nameservers, but which were actually sent by other,
+untrusted, entities.
+
+Furthermore, adns is not DNSSEC-aware in this version; it doesn't
+understand even how to ask a DNSSEC-aware nameserver to perform the
+DNSSEC cryptographic signature checking.
+
+
 COPYRIGHT
 
 This file, INSTALL, contains installation instructions and other