Hello James, Thursday, March 30, 2006, 2:16:53 PM, you wrote:
JC> Tomasz Potega writes: >> At present, NSS does a forward DNS check following a call to >> gethostbyaddr() (and friends), in order to prevent DNS >> spoofing. While this can be quite understandable from the security >> POV (see bug #4107844), it can interfere with the way our >> application does DNS sanity checks. Would it be possible to have >> some kind of a switch, to let the application get all the results, >> even those failing the check? (we are using a modified nss_dns >> library, with the check removed - hardly an elegant solution). JC> You could also call the libresolv functions directly. That's an option however the problem is that on other systems (Linux) there's different behavior and it's a problem. Then sometimes you don't care about spoofing 'coz you have too much customers with misconfigured DNS and from their point of view it's you who doesn't work - and you do not argue with customers :) Anyway, imho it would be ok if some kind of configuration switch would be provided in nscd (it's only nscd problem, right?) to turn on/off spoofing checking - looks like it should be really simple. I'm sure Tomasz would even implement this and send to request-sponsor if we only reach some consencus. -- Best regards, Robert mailto:[EMAIL PROTECTED] http://milek.blogspot.com _______________________________________________ networking-discuss mailing list [email protected]
