Zeroconfig and Multicast DNS

Chuck Swiger cswiger at mac.com
Thu Aug 24 22:05:46 UTC 2006 

On Aug 24, 2006, at 2:46 PM, Fredrik Lindberg wrote:
>>> The nsswitch.conf should IHMO be :files dns mdns,
>>> and the mdns nss module should ship with a default to only allow  
>>> queries to
>>>    .local
>>>    .168.254.in-addr.arpa
>> I think you meant .254.168.in-addr.arpa here.
>
> Actually .254.169.in-addr.arpa :)

Queries to 254.169.in-addr.arpa MUST return NXDOMAIN (or RCODE 3, to  
choose a non-BIND specific term).

See RFC-3927, section 1.4:

    To preclude use of IPv4 Link-Local addresses in off-link
    communication, the following cautionary measures are advised:

    a. IPv4 Link-Local addresses MUST NOT be configured in the DNS.
       Mapping from IPv4 addresses to host names is conventionally done
       by issuing DNS queries for names of the form,
       "x.x.x.x.in-addr.arpa."  When used for link-local addresses,  
which
       have significance only on the local link, it is inappropriate to
       send such DNS queries beyond the local link.  DNS clients MUST  
NOT
       send DNS queries for any name that falls within the
       "254.169.in-addr.arpa." domain.

       DNS recursive name servers receiving queries from non-compliant
       clients for names within the "254.169.in-addr.arpa." domain MUST
       by default return RCODE 3, authoritatively asserting that no such
       name exists in the Domain Name System.

    b. Names that are globally resolvable to routable addresses  
should be
       used within applications whenever they are available.  Names that
       are resolvable only on the local link (such as through use of
       protocols such as Link Local Multicast Name Resolution [LLMNR])
       MUST NOT be used in off-link communication.  IPv4 addresses and
       names that can only be resolved on the local link SHOULD NOT be
       forwarded beyond the local link.  IPv4 Link-Local addresses  
SHOULD
       only be sent when a Link-Local address is used as the source
       and/or destination address.  This strong advice should hinder
       limited scope addresses and names from leaving the context in
       which they apply.

-- 
-Chuck

More information about the freebsd-net mailing list