[dns-operations] How should work name resolution on a modern system?
Dave Lawrence
tale at dd.org
Wed Jun 15 20:24:01 UTC 2022
Vix said:
> https://www.icann.org/en/system/files/files/sac-053-en.pdf
Yep, thanks for bringing it up. Genuinely appreciated.
I'm aware "SSAC also recommends that the use of DNS resource records
such as A, AAAA, and MX in the apex of a TopLevel Domain (TLD) be
contractually prohibited where appropriate and strongly discouraged in
all cases," yet still note that saying "getaddrinfo should not result
in single label 'A' or 'AAAA' DNS queries" is a meaningful policy
change to an API that's older than some of the people on this mailing
list.
Also, to not get too far down the rabbit hole, there are the finer
points of what "single label" means. My cited example had an
explicitly included the root label in presentation format, so as not
to be a "dotless domain" as described in SAC53, and also not a single
label. Of course the on-the-wire format that getaddrinfo uses can
only use a single label when querying qtypes at the root label; any
TLD is two labels, at least as far as reputable sources like BIND 9's
dns_name_countlabels is concerned.
That said, we're in broad general agreement. I wouldn't run a TLD
that way either, for the reasons that SAC53 describes. I'm still not
comfortable saying that getaddrinfo or any other API (eg, getdns)
should just block it, at least not without some configurability around
it, and with a clear error condition for what it objects to. (That my
VPN DNS just says SERVFAIL is bollocks.)
More information about the dns-operations
mailing list