From: "Rémi Denis-Courmont" <rdenis@simphalempin.com>
To: David Stevens <dlstevens@us.ibm.com>
Cc: cananian@gmail.com, "C. Scott Ananian" <cscott@laptop.org>,
netdev@vger.kernel.org
Subject: Re: [RFD] First draft of RDNSS-in-RA support for IPv6 DNS autoconfiguration
Date: Sat, 23 Jun 2007 21:13:01 +0300 [thread overview]
Message-ID: <200706232113.01745@auguste.remlab.net> (raw)
In-Reply-To: <OFBCA57EE5.DABFEB20-ON88257303.00601DB3-88257303.00618B1D@us.ibm.com>
Le samedi 23 juin 2007, David Stevens a écrit :
> The kernel should do the authentication, as it will for other
> RA's,
> and should not deliver (IMAO) unauthenticated packets. If it is, I
> would consider that a bug (for all cases, not just this), and that
> would be a good thing to fix. :-)
I am all for an interface whereby the kernel queues all "accepted" RAs
for userland to process additionnal parameters... but that's totally
NOT how ICMPv6 raw sockets currently work, and it would be a very
significant departure from the Advanced IPv6 Socket API (RFC 3542, in
particular §3.3):
An implementation might perform additional validity checks on the
ICMPv6 message content and discard malformed packets. However, a
portable application must not assume that such validity checks have
been performed.
Being malformed does not include failing authentication, or the local
host not using autoconf. I am all for a setsockopt() that limits
delivery to "accepted" RAs, but it does not currently exist.
> An interface going down doesn't directly invalidate a DNS
> server address, though it may not be the best through another
> interface. Since it is a list, I think "doing nothing" for this case
> wouldn't be terrible. This is no worse than the existing resolver
> code.
That would encourage people into running open recursive DNS servers
which is widely known and documented as a bad practice. Definitely a
very bad idea.
> But if you really need it, you can monitor netlink, or poll the
> interface flags on whatever interval you require for detection.
> As for autoconf, that's available from sysctl, I assume from
> /proc somewhere, too. That usually doesn't change, but if you want to
> account for runtime configuration changes, you can always monitor
> netlink and reread when new addresses appear, too.
There are a bunch of parameters that determine whether an interface
accepts RAs or not. I doubt it's wise to try to reimplement that into
userspace, particularly if it is subject to change.
> There certainly may be complications I haven't thought of,
> since I haven't implemented it. But I still don't see a good case for
> using the kernel as a DNS database.
I never said the kernel needed to parse DNS messages by itself. My point
is raw IPv6 sockets are not usable for the time being, and I do not see
anyway to fix without modifying the kernel.
The userspace DNS configuration daemon might need to be started later
than the kernel autoconf - another issue that needs help from the
kernel.
--
Rémi Denis-Courmont
http://www.remlab.net/
next prev parent reply other threads:[~2007-06-23 18:13 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-22 23:26 [RFD] First draft of RDNSS-in-RA support for IPv6 DNS autoconfiguration C. Scott Ananian
2007-06-22 23:39 ` Michael Buesch
2007-06-23 0:09 ` C. Scott Ananian
2007-06-23 2:11 ` Dan Williams
2007-06-23 9:07 ` Michael Buesch
2007-06-23 20:41 ` David Miller
2007-06-22 23:42 ` Michael Buesch
2007-06-23 1:04 ` David Stevens
2007-06-23 1:17 ` Simon Arlott
2007-06-23 4:30 ` David Stevens
2007-06-23 4:50 ` Simon Arlott
2007-06-23 5:12 ` David Miller
2007-06-23 8:23 ` Pierre Ynard
2007-06-24 19:05 ` Olaf Kirch
2007-06-23 13:25 ` Rémi Denis-Courmont
2007-06-23 14:47 ` C. Scott Ananian
2007-06-23 16:40 ` Simon Arlott
2007-06-23 16:48 ` David Stevens
2007-06-23 16:51 ` Rémi Denis-Courmont
2007-06-23 17:45 ` David Stevens
2007-06-23 18:13 ` Rémi Denis-Courmont [this message]
2007-06-23 18:51 ` David Stevens
2007-06-23 19:18 ` Rémi Denis-Courmont
2007-06-23 20:27 ` Pierre Ynard
2007-06-25 2:17 ` Dan Williams
2007-06-25 2:53 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706232113.01745@auguste.remlab.net \
--to=rdenis@simphalempin.com \
--cc=cananian@gmail.com \
--cc=cscott@laptop.org \
--cc=dlstevens@us.ibm.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).