[strongSwan] Potential bug in DPD implementation?

Julian Pawlowski julian.pawlowski at gmail.com
Fri Jul 9 00:30:34 CEST 2010


Hi Andreas,

thanks for your quick respond!

After reading it a few times it's clear for me now that the output is
actually also there when no tunnel is currently up and running. :-)

In this case I think the DNS is the root cause of the behavior I'm
experiencing here.
Let me suggest some enhancements to the Pluto daemon in that case.

I think it is important for every software who is dealing with DNS
data to respect other RFC standards like the Time To Live in this
case. If Pluto does not care about any TTL set and only looks up the
current A record at startup time, I would like to suggest a change to
this behavior and add a routine to make sure that DNS records can
actually expire and are being retrieved again. I think this is some
kind of behavior one would always expect when using canonical names
instead of IP addresses. If you would have any concerns in regard to
increased DNS vulnerability it might be useful to make this new
behavior as a configurable option.

I'd highly appreciate if you could consider this to be a worth feature
enhancement to the Pluto daemon respective the strongSwan suite.


Best regards
Julian




More information about the Users mailing list