Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20151026021432.20049.qmail@ary.lan>
Date: 26 Oct 2015 02:14:32 -0000
From: "John Levine" <johnl@...c.com>
To: musl@...ts.openwall.com
Subject: Re: Re: Would not love to see reconsideration for domain and search

>BTW I think there are other strong reasons to move to a model based on
>a local nameserver that does the unioning, not just performance. The
>most compelling is DNSSEC, which requires a trusted channel between
>the nameserver and the stub resolver in order for results to be
>meaningful/trusted. ...

Yes, definitely.

DNS search lists seemed like a good idea back in the 1980s.  Then in
1990 they added .CS for Czechoslovakia to the DNS root, and in
Computer Science departments all over the world, addresses like
joe@...do.cs stopped working, since the search list that used to turn
it into joe@...do.cs.stateu.edu didn't do that any more.

ICANN has added about 600 new top level domains in the past two years,
There's still nearly a thousand more in the pipeline, and they're
talking about another round that will add thousands more.  I went to a
two day meeting about name collisions after the London ICANN meeting,
and a great deal of the discussion was about how to flush out old
search list queries before they started resolving wrong.

If you want to have a local namespace overlaid on the DNS, it is not
hard to configure bind or unbound to do that so, e.g. names in
whatever.blah resolve locally.  You can even configure in local DNSSEC
anchors for .blah if you want.  In that case if there's ever a global
.blah TLD, your local users won't be able to see it, but your local
applications will keep working.

I'd strongly suggest that the lack of DNS search lists is a feature,
and not to change it.

R's,
John

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.