[dns-operations] systemd resolved ignores specified root
Derek Wilson
jderekwilson at gmail.com
Wed Sep 16 22:36:23 UTC 2020
> > Apparently the trailing dot "thing" never hits the wire?
>
> it wouldn't matter. the trailing dot is implicit, so when explicit, it means
> the same as being absent.
Is a trailing dot not counted as part of ndots? Either way, resolved
pick and choose which rtypes you can get back from a TLD regardless of
trailing dot. I can get SOA and NS but not DS DNSKEY NSEC NSEC3 A or
AAAA ... for SOA and NS I get NOERROR but for other things I get
SERVFAIL ... which is ... confusing at best. application breaking at
worst.
> the common BIND8/BIND4/BSD client library also uses a trailing dot as a signal;
> the signal is "do a query of the input string first, before trying the search
> list". this is both weak and confusing, but it's the signal path we had.
That behavior makes sense to me but maybe that's because it's what I'm used to.
> i've asked that postfix please add a trailing dot to the names it looks up,
> because my dns trace logs show the search list being appended regardless of
> the setting of "options ndots:N" in /etc/resolv.conf. perhaps this can happen,
> because right now there's a huge exposure of private information (my search
> list) to noncontracted parties.
adding the trailing dot would not change behavior on systemd-resolved
as far as i understand. This behavior IMO will cause more inadvertent
data leaks which is the opposite of the claim being made by systemd.
> getdnsapi.org offers a replacement for the OS library (or for the apps, since
> apps are now doing their own DNS independent of the OS's settings). the best
> single thing we could all do for dns goodness is to get systemd to adopt the
> getdnsapi library, which is license-compatible. raise your voice _there_ if
> you want the risk of improving the world.
I hadn't seen that... thanks for the link.
More information about the dns-operations
mailing list