[dns-operations] Hearing first complains about failing internal resolving due to .prod TLD
Paul Vixie
paul at redbarn.org
Fri Sep 12 04:08:26 UTC 2014
On 9/11/2014 8:22 PM, Mark Andrews wrote:
> In message <54125EDC.6000904 at redbarn.org>, Paul Vixie writes:
>> On 9/11/2014 7:08 PM, Mark Andrews wrote:
>>> ...
>>>
>>> I just wish I had been able to convince Paul to remove support for
>>> partially qualified names back when RFC 1535 came out. We knew
>>> then that they were a bad idea. ndots minimises the damage of using
>>> partially qualified names. It doesn't remove it.
>> at the time (1993?) i felt it was best not to break anybody's existing
>> configuration. that seems insane now.
> The configuration is *already* broken. If you are depending upon
> partially qualified names then they are a time bomb waiting to
> happen.
you know what would be cool is if i still used MH and could usefully
search my e-mail archives to prove that paul vixie and mark andrews just
now (2014-09-11) repeated almost verbatim a debate we had some time in
1993 or 1994. it would not just be funny, but perhaps also depressing,
and it would save time.
i believe that the next line of dialogue from this play is:
vixie: "your definition of 'break' is academic, mine is practical. right
now the people who are using unqualified names are getting work done and
they are not calling me to report bugs in the BIND resolver. if i make
the change you are suggesting, they stop getting work done and they will
look me up in WHOIS and call my phone."
like i said this seems insane now. mark was right, we should have broken
the bad stuff as early as possible.
> Today the resolver does "as entered", if it has a period then applies
> the search list. If ndots != 0 and it has a period then it applies
> the search list and then as is. Unqualified search list then as
> is. Note the search list is always applied and it continues on
> NODATA, SERVFAIL which is also a security issue. NXDOMAIN should
> be the *only* result which moves to the next search list element.
> If a zone in the search list is broken, then fix it. Users can
> type fully qualified names to work around the issue and configuration
> files should only ever have fully qualified names.
those words, "the resolver", may not mean any more what you think they
mean. the most widely cloned and forked resolver logic on the internet
remains BIND 4's. not even the libbind (now netresolv) logic comes close
to the footprint of that old crappy pre-ndots logic.
all growth will be in the form of either "dnsget API" or "ietf
getaddrinfo / getnameinfo". i feverishly hope that both of these will
subscribe to the logic described in:
https://www.icann.org/en/system/files/files/sac-064-en.pdf
if your resolver is to be used as a stub by any system library anywhere,
i hope it will subscribe to the SAC064 logic.
> The best long term solution is "if it has a period, try as is. If
> it does not have a period append search list against the DNS".
> localhost matches against /etc/hosts or becomes a explict exception.
you sound like a man about to author an internet draft for IETF DNSOP.
> Iterim "if it has a period, try as is. If ndots != 0 then try
> search list then try as is. If it does not have a period append
> search list against the DNS". localhost matches against /etc/hosts
> or becomes a explict exception.
>
> Ndots is a explict trigger for broken behaviour.
yeah i don't think that anything like ndots could be standardized or
should be implemented at this point in time. ndots was my suggested
workaround for the EDU.COM problem, and shows that more review was needed.
vixie
More information about the dns-operations
mailing list