|
Message-ID: <CAO_RewY7EnLRSHKNDbs4GvMxuHp=J3tAW3ZONN=wMKuBsrpebg@mail.gmail.com> Date: Thu, 22 Oct 2015 22:37:53 -0700 From: Tim Hockin <thockin@...gle.com> To: musl@...ts.openwall.com Subject: Re: Re: Would love to see reconsideration for domain and search On Thu, Oct 22, 2015 at 10:31 PM, Rich Felker <dalias@...c.org> wrote: >> > BTW I think there are other strong reasons to move to a model based on >> > a local nameserver that does the unioning, not just performance. The >> > most compelling is DNSSEC, which requires a trusted channel between >> > the nameserver and the stub resolver in order for results to be >> > meaningful/trusted. In the future everybody should be running a >> > nameserver on localhost to do DNSSEC signature validation. In that >> > scheme, resolv.conf would just contain 127.0.0.1 (or could be omitted >> > entirely since that's the default, at least on musl). >> >> I can see a local nameserver doing resolution, but doing search >> expansion seems like a stretch (and superfluous since it is local). > > Search would also get a lot of performance benefit from doing in the > caching nameserver, but I agree with your assessment that it's a > separate issue and that there's no _need_ to do it at that level to > ensure correctness. So for now let's focus on a plan for adding > suitable search domain support in musl. Sounds right. > I believe search only affects DNS queries, not hosts file lookups, Also my understanding > right? So it should be at the name_from_dns stage in lookup_name.c. > The simplest implementation approach is probably to wrap name_from_dns > with a name_from_dns_search function that reads the search domains and > repeatedly calls name_from_dns until it gets success. > > One oddity/ugliness of search that needs to be considered is that > querying different address families may lead to differently-sourced > results. For example if you query example.us with ndots=2, a search > domain of example.com, and the following records present: > > example.us.example.com A > example.us AAAA > > then an AF_UNSPEC or AF_INET query yields a v4-only result for > example.us.example.com while an AF_INET6 query "sees through" to the > example.us record because the search of example.com fails. This seems > quite ugly and counter-intuitive, but I don't see any way to do better > that makes sense. If that is how the records are laid out, I think you have to allow it. > Also, are we agreed that queries with >=ndots dots, or a final dot (as > in example.com.) should never be searched (rather than searched after > first trying them in the root)? That sounds right. I saw from a different thread that musl doesn't or didn't do TCP fallbacks - is that still the case? I know we need that for things like large multi-SRV sets (which I do not expect libc to support), and we have some people who have large A sets (which I do expect libc to support).
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.