[dns-operations] Hearing first complains about failing internal resolving due to .prod TLD

Mark Andrews marka at isc.org
Fri Sep 12 03:22:33 UTC 2014

In message <54125EDC.6000904 at redbarn.org>, Paul Vixie writes:
> On 9/11/2014 7:08 PM, Mark Andrews wrote:
> > ...
> >  
> > I just wish I had been able to convince Paul to remove support for
> > partially qualified names back when RFC 1535 came out.  We knew
> > then that they were a bad idea.  ndots minimises the damage of using
> > partially qualified names.  It doesn't remove it.
> at the time (1993?) i felt it was best not to break anybody's existing
> configuration. that seems insane now.

The configuration is *already* broken.  If you are depending upon
partially qualified names then they are a time bomb waiting to

Today the resolver does "as entered", if it has a period then applies
the search list.  If ndots != 0 and it has a period then it applies
the search list and then as is.  Unqualified search list then as
is.  Note the search list is always applied and it continues on
NODATA, SERVFAIL which is also a security issue.  NXDOMAIN should
be the *only* result which moves to the next search list element.
If a zone in the search list is broken, then fix it.  Users can
type fully qualified names to work around the issue and configuration
files should only ever have fully qualified names.

The best long term solution is "if it has a period, try as is.  If
it does not have a period append search list against the DNS".
localhost matches against /etc/hosts or becomes a explict exception.

Iterim "if it has a period, try as is.  If ndots != 0 then try
search list then try as is. If it does not have a period append
search list against the DNS".  localhost matches against /etc/hosts
or becomes a explict exception.

Ndots is a explict trigger for broken behaviour.

> > The real fix is make the resolver libraries not append search lists
> > entries to names with multiple labels.  Yes, people need to type
> > slightly long names or add more search list entries.  Yes there
> > will be some pain but it is something better done sooner rather
> > than later.
> partially qualified names (so, has an interior dot) should never have
> been allowed to work, anywhere, not even for a day. once they existed,
> it should have been somebody's job to stomp them to death. for my part
> in these events, i apologize to one and all.
> in fairness, had we adopted the left-to-right presentation format
> preferred at first by our UK colleagues, we would have always had to
> write fully qualified names as .tld.sld.3ld, that is, the "root dot"
> would not have been optional, and there would have been no confusion
> between unqualified, partially qualified, and fully qualified domain names.

We would have just prepend rather than appended.
> or with a little bit of arm twisting at the right time in the right
> place, search lists could have been explicit, as in, if you want FOO.BAR
> to be looked up in the client's preferred local contexts, you'd write it
> as FOO.BAR.+ or similar.
> the presentation layer is where DNS shows its greatest design
> weaknesses. (just ask the IDN folks, they'll tell you.)
> vixie
> vixie
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list