Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160129005730.GQ238@brightrain.aerifal.cx>
Date: Thu, 28 Jan 2016 19:57:30 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Re: Would love to see reconsideration for domain and
 search

On Thu, Oct 22, 2015 at 10:37:53PM -0700, Tim Hockin wrote:
> > right? So it should be at the name_from_dns stage in lookup_name.c.
> > The simplest implementation approach is probably to wrap name_from_dns
> > with a name_from_dns_search function that reads the search domains and
> > repeatedly calls name_from_dns until it gets success.
> >
> > One oddity/ugliness of search that needs to be considered is that
> > querying different address families may lead to differently-sourced
> > results. For example if you query example.us with ndots=2, a search
> > domain of example.com, and the following records present:
> >
> >         example.us.example.com A
> >         example.us AAAA
> >
> > then an AF_UNSPEC or AF_INET query yields a v4-only result for
> > example.us.example.com while an AF_INET6 query "sees through" to the
> > example.us record because the search of example.com fails. This seems
> > quite ugly and counter-intuitive, but I don't see any way to do better
> > that makes sense.
> 
> If that is how the records are laid out, I think you have to allow it.

It turns out this is a non-issue. If a name lacks the requested A or
AAAA record, but has some records, then we get rcode==0 rather than
rcode==3 (success rather than NxDomain) with 0 results. In that case
we can stop the search rather than continuing and there is no
inconsistency. Making this work right required a small fix in musl's
current rcode handling but it was easy.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.