X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=blobdiff_plain;f=INSTALL;h=d8e07592448461b8bf5d4a2af1d909da201b76c3;hp=ffae5f531b3a5d769ba6d0c0b50692bb7ad17edd;hb=66f7ac484ca092766a46a6d50c07cf59291ffc86;hpb=e39ec089064f4a341a6ee46f9b68a6c5d8a8b5b9

diff --git a/INSTALL b/INSTALL
index ffae5f5..d8e0759 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,5 +1,8 @@
 INSTALLATION INSTRUCTIONS for ADNS
 
+1. Read the security note below.
+
+2. Standard GNU package build process:
    $ ./configure
    $ make
    # make install
@@ -18,15 +21,48 @@ libtool.  I'm not interested in supporting non-ELF shared libraries.
 However, if you send me an appropriate patch I'd be willing to make it
 easy or automatic to disable the ELF shared library arrangements.
 
+The adnsresfilter utility uses `tsearch' from the C library (a la SVID
+and X/Open).  If your C library doesn't have tsearch you will find
+that configure arranges for adnsresfilter not to be built.  To rectify
+this, install a C library containing tsearch, such as the GNU C
+library.  It is best if tsearch uses an automatically-balancing tree
+algorithm, like the glibc version does.  Simple binary trees may
+perform badly.
+
 You will probably find that GNU Make is required.
 
 
+SECURITY AND PERFORMANCE - AN IMPORTANT NOTE
+
+adns is not a full-service resolver.  It does no caching of responses
+at all, and has no defence against bad nameservers or fake packets
+which appear to come from your real nameservers.  It relies on the
+full-service resolvers listed in resolv.conf to handle these tasks.
+
+For secure and reasonable operation you MUST run a full-service
+nameserver on the same system as your adns applications, or on the
+same local, fully trusted network.  You MUST only list such
+nameservers in the adns configuration (eg resolv.conf).
+
+You MUST use a firewall or other means to block packets which appear
+to come from these nameservers, but which were actually sent by other,
+untrusted, entities.
+
+Furthermore, adns is not DNSSEC-aware in this version; it doesn't
+understand even how to ask a DNSSEC-aware nameserver to perform the
+DNSSEC cryptographic signature checking.
+
+
 COPYRIGHT
 
 This file, INSTALL, contains installation instructions and other
-details for adns.
+details for adns.  It is
+ Copyright (C) 1997-2000 Ian Jackson <ian@davenant.greenend.org.uk>
 
-adns is Copyright (C)1997-9 Ian Jackson <ian@davenant.greenend.org.uk>.
+adns is
+ Copyright (C) 1997-2000 Ian Jackson <ian@davenant.greenend.org.uk>
+ Copyright (C) 1999 Tony Finch <dot@dotat.at>              [1]
+ Copyright (C) 1991 Massachusetts Institute of Technology  [2]
 
 adns is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -42,3 +78,12 @@ You should have received a copy of the GNU General Public License
 along with userv as the file COPYING; if not, email me at the address
 above or write to the Free Software Foundation, 59 Temple Place -
 Suite 330, Boston, MA 02111-1307, USA.
+
+[1] Tony Finch holds the original copyright on
+    client/adnslogres.c and client/fanftest.c.
+[2] MIT hold the original copyright on the included install-sh,
+    which came via GNU autoconf.
+
+# Local variables:
+# mode: text
+# End: