Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <536D7B08.8030403@mit.edu>
Date: Fri, 09 May 2014 18:04:08 -0700
From: Andy Lutomirski <luto@...capital.net>
To: musl@...ts.openwall.com
Subject: Re: Resolver overhaul concepts

On 05/04/2014 09:24 AM, Rich Felker wrote:
> On Sun, May 04, 2014 at 05:07:33PM +0100, Laurent Bercot wrote:
>>
>>  I believe the very first thing to address is what exactly you call
>> a resolver.
> 
> There are some legacy dn_*/res_* interfaces in demand which are
> presently supported only poorly or not at all. Part of the side goal
> of the resolver overhaul is to provide them cleanly without code
> duplication. But for the most part, "resolver" means "getaddrinfo"
> since it is the only standard, non-deprecated interface to name
> resolution.
> 
>>  getaddrinfo() is a horrible interface, and one of the reasons why
>> is that it is loosely designed. Not much is standardized, and it's up
>> to you to decide exactly what to do with it; it's important to be
>> clear about what is implemented, and to document it, because not all
>> applications have the same expectations, and it's very easy to get
>> confused when the resolution path is unexpected.
> 
> It's standardized by POSIX, and the POSIX text is sufficient to tell
> you how to use it for all portable usages. Most of the confusion/mess
> comes from non-conforming implemnentations, particularly in the area
> of returning wrong error codes.
> 
>>  glibc's getaddrinfo() is the entry point to the NSS layer, which
>> can basically implement *any* kind of "name resolution". AFAICT,
>> it's not a goal of musl to reimplement the whole NSS spaghetti
>> monster, but some applications will depend on /etc/nsswitch.conf
>> or something similar; even without supporting /etc/nsswitch.conf,
>> it would be nice to provide a mechanism to selectively enable/disable
>> at least /etc/hosts lookup and DNS lookup. The current resolution
> 
> The policy for supporting something like nss has always been that musl
> implements a perfectly reasonable public protocol for providing any
> back-end you want: the DNS protocol. You can run a local daemon
> speaking DNS and serving names from any backend you like, and this is
> the correct way to achieve it (rather than linking random buggy,
> likely-not-namespace-clean libraries into the application's address
> space). In order to make this the most useful, though, musl should
> support nameservers on non-default ports (is there a standard syntax
> for this, or can we support one without breaking anything?), and it
> would also be nice to be able to override resolv.conf on a per-process
> basis (e.g. via the environment).

How about 'nameserver /path/to/unix/socket'?  If glibc supported that,
too, it might solve a lot of problems involving systemwide resolvers and
containers.

This might have to be 'unixsocknameserver /path/to/unix/socket' or
something for better interoperability.

--Andy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.