IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: WG chair nits on draft-ietf-secsh-dns-02.txt



On Thu, 20 Mar 2003, wes wrote:

> On Thursday, March 20, 2003, at 03:28 PM, Jakob Schlyter wrote:
>
> > On Thu, 20 Mar 2003, Bill Sommerfeld wrote:
> >
> >> An alternate approach which I think is superior is to ensure that the
> >> DNS search path used while resolving SSHFP records comes from a
> >> trusted
> >> source (i.e., not from DHCP or PPP/ipcp).
> >
> > how can the ssh client implementation ensure that?
>
> I don't think the implementation can ensure that. However, the users of
> the client system can ensure that by manually coding a DNS search path
> that doesn't get over-written by DHCP.

I doubt very much that normal users can do any such thing. On most
systems DNS configuration is system wide, not per user.
Most users don't even know what DNS is (and they shouldn't really need to).

The administrator of the system may be able to do what is suggested -
but it depends on the OS and how it deals with DHCP.  It also depends on
what APIs will be available for DNSSEC and/or normal DNS.

Clever users with use of LD_PRELOAD (and its equivalent if it exists) on
UNIX like systems might be able to do what was suggested.

-- 
Darren J Moffat



Home | Main Index | Thread Index | Old Index