Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAO_RewY7EnLRSHKNDbs4GvMxuHp=J3tAW3ZONN=wMKuBsrpebg@mail.gmail.com>
Date: Thu, 22 Oct 2015 22:37:53 -0700
From: Tim Hockin <thockin@...gle.com>
To: musl@...ts.openwall.com
Subject: Re: Re: Would love to see reconsideration for domain and search

On Thu, Oct 22, 2015 at 10:31 PM, Rich Felker <dalias@...c.org> wrote:
>> > BTW I think there are other strong reasons to move to a model based on
>> > a local nameserver that does the unioning, not just performance. The
>> > most compelling is DNSSEC, which requires a trusted channel between
>> > the nameserver and the stub resolver in order for results to be
>> > meaningful/trusted. In the future everybody should be running a
>> > nameserver on localhost to do DNSSEC signature validation. In that
>> > scheme, resolv.conf would just contain 127.0.0.1 (or could be omitted
>> > entirely since that's the default, at least on musl).
>>
>> I can see a local nameserver doing resolution, but doing search
>> expansion seems like a stretch (and superfluous since it is local).
>
> Search would also get a lot of performance benefit from doing in the
> caching nameserver, but I agree with your assessment that it's a
> separate issue and that there's no _need_ to do it at that level to
> ensure correctness. So for now let's focus on a plan for adding
> suitable search domain support in musl.

Sounds right.

> I believe search only affects DNS queries, not hosts file lookups,

Also my understanding

> right? So it should be at the name_from_dns stage in lookup_name.c.
> The simplest implementation approach is probably to wrap name_from_dns
> with a name_from_dns_search function that reads the search domains and
> repeatedly calls name_from_dns until it gets success.
>
> One oddity/ugliness of search that needs to be considered is that
> querying different address families may lead to differently-sourced
> results. For example if you query example.us with ndots=2, a search
> domain of example.com, and the following records present:
>
>         example.us.example.com A
>         example.us AAAA
>
> then an AF_UNSPEC or AF_INET query yields a v4-only result for
> example.us.example.com while an AF_INET6 query "sees through" to the
> example.us record because the search of example.com fails. This seems
> quite ugly and counter-intuitive, but I don't see any way to do better
> that makes sense.

If that is how the records are laid out, I think you have to allow it.

> Also, are we agreed that queries with >=ndots dots, or a final dot (as
> in example.com.) should never be searched (rather than searched after
> first trying them in the root)?

That sounds right.

I saw from a different thread that musl doesn't or didn't do TCP
fallbacks - is that still the case?  I know we need that for things
like large multi-SRV sets (which I do not expect libc to support), and
we have some people who have large A sets (which I do expect libc to
support).

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.