From: Victor Duchovni (no email)
Date: Sun Jan 21 2007 - 00:45:56 EST
On Sat, Jan 20, 2007 at 11:36:41PM -0600, Travis H. wrote:
> On Wed, Jan 03, 2007 at 09:40:51AM -0500, Victor Duchovni wrote:
> > No. Nameservers must and do respond from the IP address to which the
> > query was sent.
>
> RFC 1035 section 7.3 disagrees with you:
>
> Some name servers send their responses from different addresses than
> the one used to receive the query. That is, a resolver cannot rely
> that a response will come from the same address which it sent the
> corresponding query to. This name server bug is typically encountered
----------------------------------------------^^^------------------------
> in UNIX systems.
It's a bug. And nameservers DO respond from the right IP, the ones that
don't really don't work anymore, their responses are blocked by stateful
firewalls, and should be ignored by security minded resolvers (despite
the RFC).
> I assume this has to do with the way recv(2) and send(2) were
> implemented in the socket API, but my OS states that recv(2) is
> normally used only on a connected socket.
No, it has to do with UDP applications that were not written with
multi-homed hosts in mind and don't bind to each interface separately.
Yes, a sendfromto()/recvtofrom() interface would have helped to avoid
the need for multiple sockets, but alas this is not a standard socket
API feature (some O/S specific firewall extensions provide this in
non-portable ways).
-- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
|
|
|