[Hipsec-rg] Forward Confirmed reverse DNS & HIP dns proxy
oleg.ponomarev at hiit.fi (Oleg Ponomarev) Fri, 24 April 2009 11:49 UTC
From: "oleg.ponomarev at hiit.fi"
Date: Fri, 24 Apr 2009 14:49:59 +0300
Subject: [Hipsec-rg] Forward Confirmed reverse DNS & HIP dns proxy
Hi! It is not implementation-specific, so I move the discussion to this mailing list? We stumbled across such a question: if a host has both HIP and non-HIP connections and uses a HIP DNS proxy for the legacy applications. There is an incoming connection from 2001:708:140:220::2, it is resolved to hipl.infrahip.net, then hipl.infrahip.net has a HIP RR and gets resolved to 2001:19:c0ff:5d7e:d547:ec9b:37c3:44c6 (via DNS proxy) instead of 2001:708:140:220::2. The forward-confirmation is broken and there are warnings about possible attacks and so on. Has this trouble been discussed before? Do you have any ideas? One way would be to resolve: 2001:708:140:220::2 -> hipl.infrahip.net.NOHIP. hipl.infrahip.net.NOHIP. -> 2001:708:140:220::2 hipl.infrahip.net. -> 2001:19:c0ff:5d7e:d547:ec9b:37c3:44c6 There would be no warning about FCrDNS, but an ACL for hipl.infrahip.net. would not apply either. -- Regards, Oleg.
- [Hipsec-rg] Forward Confirmed reverse DNS & HIP d… Oleg Ponomarev
- [Hipsec-rg] Forward Confirmed reverse DNS & HIP d… Miika Komu