[dns-operations] How should work name resolution on a modern system?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jun 15 22:00:41 UTC 2022


On Wed, Jun 15, 2022 at 10:03:30PM +0100, John Levine wrote:

> It appears that Viktor Dukhovni <dns-operations at dns-oarc.net> said:
> >Single label names passed to getaddrinfo(3) should not result in single
> >label "A" or "AAAA" DNS queries.
> 
> If only. See RFC 7085. I've been doing regular surveys of RRs for
> single label names in the decade since we published that and things
> haven't changed much.

By "should not" I don't mean "typically won't".  I am not describing
"presently expected" behaviour, rather I am describing what a modernised
library might do.

An example of the "predictable" is better than "sometimes right"
approach is seen in the OpenSSL DANE implementation:

    When validating peer certificate chains against a DANE-TA(2)
    trust-nachor TLSA record, the local trust store is always
    completely ignored.  All the certificates needed to build a
    matching chain MUST be present in the remote peer's certificate
    message.

You might ask why?  Well, because not all validators will have the same
trust store contents, and having a DANE TLSA record that works with some
stacks when you test it, but then fails with others in the field is bad.

So the design is biased in favour of consistent behaviour, which aids
interoperability.  Unpredictable behaviour is not doing anyone a favour.

-- 
    Viktor.


More information about the dns-operations mailing list