Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 24 Oct 2015 19:31:19 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Re: Would love to see reconsideration for domain and
 search

On Sat, Oct 24, 2015 at 05:57:10PM -0400, Kurt H Maier wrote:
> On Sat, Oct 24, 2015 at 02:33:31PM -0700, Tim Hockin wrote:
> > Where is the standard that defines ordering semantics in resolv.conf?
> 
> There isn't one, but that doesn't mean you get to ensconce the behavior
> you like.  That was my point.
> 
> > Search has to be ordered.  You can not possibly argue otherwise?
> 
> I can and do.  
> 
> > I am arguing for adding a very standard feature (search) to open musl to a
> > whole new space of users.
> 
> You're not arguing for simple inclusion of search;

At this point that actually does seem to be all that Tim is asking
for. I think we're in agreement that there are multiple problems with
trying to use ordered nameservers to overlay inconsistent data, and
that even under the way glibc treats this setup, there are subtle
problems.

> you're arguing for
> specific behavior that is impossible to implement in a sane manner,
> because that's how glibc does it.  I am not against domain and search, 
> but I don't just want functionality poorly added just to check some box 
> on a random other project's wishlist. 
>
> > Nobody is forcing you to use search paths or ndots.
> 
> Not sure how this is relevant?  Nobody's forcing anyone to do anything.
> What is your point?

Could you try to hold off on the hostility? I don't think there's any
actual disagreement left here. Support for search domains was tabled
but left open for future consideration back when the last phase of dns
overhaul was done, pending actual requests/usage-cases needing them.
It seems like they can be added in an inexpensive and ubobtrusive way,
so I don't think it should really be controversial.

Note that, as I said before, search really does have to be ordered.
Otherwise you have inconsistent/non-deterministic results that can be
controlled by inducing intermittent failures (DoS). The proper way to
handle search is the same way the current fallback sequence (ip
literal, hosts file, dns) is done: a positive result at any step ends
the query, a negative result causes fallback to the next search
element, and any failure at any stage causes the whole query to fail
with an appropriate error.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.