[dns-operations] systemd resolved ignores specified root
Paul Vixie
paul at redbarn.org
Wed Sep 16 13:37:11 UTC 2020
On Wed, Sep 16, 2020 at 12:30:53PM +0000, Derek Wilson wrote:
> https://github.com/systemd/systemd/issues/8967#issuecomment-391459667
>
> Apparently the trailing dot "thing" never hits the wire?
it wouldn't matter. the trailing dot is implicit, so when explicit, it means
the same as being absent.
> At some point if all DNS clients start doing ridiculous things, do we worry
> that it will break server side operations? At what point do clients abusing
> protocols start becoming a problem for systems (like DNS) they misuse/abuse?
the common BIND8/BIND4/BSD client library also uses a trailing dot as a signal;
the signal is "do a query of the input string first, before trying the search
list". this is both weak and confusing, but it's the signal path we had.
> I probably yelled too much in that thread for it to be effective (sorry),
> but maybe someone here has a back channel to systemd-resolved folks and can
> advocate for proper handling of trailing dots?
>
> Or maybe I'm bothered over nothing - in which case I'd love to be convinced.
i've asked that postfix please add a trailing dot to the names it looks up,
because my dns trace logs show the search list being appended regardless of
the setting of "options ndots:N" in /etc/resolv.conf. perhaps this can happen,
because right now there's a huge exposure of private information (my search
list) to noncontracted parties.
getdnsapi.org offers a replacement for the OS library (or for the apps, since
apps are now doing their own DNS independent of the OS's settings). the best
single thing we could all do for dns goodness is to get systemd to adopt the
getdnsapi library, which is license-compatible. raise your voice _there_ if
you want the risk of improving the world.
--
Paul Vixie
More information about the dns-operations
mailing list