|
Message-ID: <20151026021432.20049.qmail@ary.lan> Date: 26 Oct 2015 02:14:32 -0000 From: "John Levine" <johnl@...c.com> To: musl@...ts.openwall.com Subject: Re: Re: Would not love to see reconsideration for domain and search >BTW I think there are other strong reasons to move to a model based on >a local nameserver that does the unioning, not just performance. The >most compelling is DNSSEC, which requires a trusted channel between >the nameserver and the stub resolver in order for results to be >meaningful/trusted. ... Yes, definitely. DNS search lists seemed like a good idea back in the 1980s. Then in 1990 they added .CS for Czechoslovakia to the DNS root, and in Computer Science departments all over the world, addresses like joe@...do.cs stopped working, since the search list that used to turn it into joe@...do.cs.stateu.edu didn't do that any more. ICANN has added about 600 new top level domains in the past two years, There's still nearly a thousand more in the pipeline, and they're talking about another round that will add thousands more. I went to a two day meeting about name collisions after the London ICANN meeting, and a great deal of the discussion was about how to flush out old search list queries before they started resolving wrong. If you want to have a local namespace overlaid on the DNS, it is not hard to configure bind or unbound to do that so, e.g. names in whatever.blah resolve locally. You can even configure in local DNSSEC anchors for .blah if you want. In that case if there's ever a global .blah TLD, your local users won't be able to see it, but your local applications will keep working. I'd strongly suggest that the lack of DNS search lists is a feature, and not to change it. R's, John
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.