From 2b61beb8dee78603035a1e2fe93bd95afc8ef86c Mon Sep 17 00:00:00 2001 From: ian Date: Mon, 20 Mar 2000 02:31:37 +0000 Subject: [PATCH] + * Security/performance note added, about local nameservers and DNSSEC. @@ -3,6 +3,7 @@ + * Security/performance note added, about local nameservers and DNSSEC. --- INSTALL | 24 ++++++++++++++++++++++++ changelog | 1 + 2 files changed, 25 insertions(+) diff --git a/INSTALL b/INSTALL index 2b3338f..45bb1e3 100644 --- a/INSTALL +++ b/INSTALL @@ -1,5 +1,8 @@ INSTALLATION INSTRUCTIONS for ADNS +1. Read the security note below. + +2. Standard GNU package build process: $ ./configure $ make # make install @@ -29,6 +32,27 @@ perform badly. You will probably find that GNU Make is required. +SECURITY AND PERFORMANCE - AN IMPORTANT NOTE + +adns is not a full-service resolver. It does no caching of responses +at all, and has no defence against bad nameservers or fake packets +which appear to come from your real nameservers. It relies on the +full-service resolvers listed in resolv.conf to handle these tasks. + +For secure and reasonable operation you MUST run a full-service +nameserver on the same system as your adns applications, or on the +same local, fully trusted network. You MUST only list such +nameservers in the adns configuration (eg resolv.conf). + +You MUST use a firewall or other means to block packets which appear +to come from these nameservers, but which were actually sent by other, +untrusted, entities. + +Furthermore, adns is not DNSSEC-aware in this version; it doesn't +understand even how to ask a DNSSEC-aware nameserver to perform the +DNSSEC cryptographic signature checking. + + COPYRIGHT This file, INSTALL, contains installation instructions and other diff --git a/changelog b/changelog index 8b62cf2..20eaf1a 100644 --- a/changelog +++ b/changelog @@ -3,6 +3,7 @@ adns (0.8) BETA; urgency=low * Spurious `server failure on unidentifiable query' warning suppressed. * install-sh (from autoconf 2.12 Debian r13) included. * adnslogres: cast chars to unsigned char before using ctype.h macros. + * Security/performance note added, about local nameservers and DNSSEC. -- -- 2.30.2