diff options
author | ian <ian> | 2000-03-20 02:31:37 +0000 |
---|---|---|
committer | ian <ian> | 2000-03-20 02:31:37 +0000 |
commit | 2b61beb8dee78603035a1e2fe93bd95afc8ef86c (patch) | |
tree | b2b54862a71fe1b4307685ad969d1e6f60281764 /INSTALL | |
parent | 2658c3058287d395a640aadcd7e3f5caa89efedf (diff) |
+ * Security/performance note added, about local nameservers and DNSSEC.
@@ -3,6 +3,7 @@
+ * Security/performance note added, about local nameservers and DNSSEC.
Diffstat (limited to 'INSTALL')
-rw-r--r-- | INSTALL | 24 |
1 files changed, 24 insertions, 0 deletions
@@ -1,5 +1,8 @@ INSTALLATION INSTRUCTIONS for ADNS +1. Read the security note below. + +2. Standard GNU package build process: $ ./configure $ make # make install @@ -29,6 +32,27 @@ perform badly. You will probably find that GNU Make is required. +SECURITY AND PERFORMANCE - AN IMPORTANT NOTE + +adns is not a full-service resolver. It does no caching of responses +at all, and has no defence against bad nameservers or fake packets +which appear to come from your real nameservers. It relies on the +full-service resolvers listed in resolv.conf to handle these tasks. + +For secure and reasonable operation you MUST run a full-service +nameserver on the same system as your adns applications, or on the +same local, fully trusted network. You MUST only list such +nameservers in the adns configuration (eg resolv.conf). + +You MUST use a firewall or other means to block packets which appear +to come from these nameservers, but which were actually sent by other, +untrusted, entities. + +Furthermore, adns is not DNSSEC-aware in this version; it doesn't +understand even how to ask a DNSSEC-aware nameserver to perform the +DNSSEC cryptographic signature checking. + + COPYRIGHT This file, INSTALL, contains installation instructions and other |