Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Oct 2015 22:37:53 -0700
From: Tim Hockin <>
Subject: Re: Re: Would love to see reconsideration for domain and search

On Thu, Oct 22, 2015 at 10:31 PM, Rich Felker <> wrote:
>> > BTW I think there are other strong reasons to move to a model based on
>> > a local nameserver that does the unioning, not just performance. The
>> > most compelling is DNSSEC, which requires a trusted channel between
>> > the nameserver and the stub resolver in order for results to be
>> > meaningful/trusted. In the future everybody should be running a
>> > nameserver on localhost to do DNSSEC signature validation. In that
>> > scheme, resolv.conf would just contain (or could be omitted
>> > entirely since that's the default, at least on musl).
>> I can see a local nameserver doing resolution, but doing search
>> expansion seems like a stretch (and superfluous since it is local).
> Search would also get a lot of performance benefit from doing in the
> caching nameserver, but I agree with your assessment that it's a
> separate issue and that there's no _need_ to do it at that level to
> ensure correctness. So for now let's focus on a plan for adding
> suitable search domain support in musl.

Sounds right.

> I believe search only affects DNS queries, not hosts file lookups,

Also my understanding

> right? So it should be at the name_from_dns stage in lookup_name.c.
> The simplest implementation approach is probably to wrap name_from_dns
> with a name_from_dns_search function that reads the search domains and
> repeatedly calls name_from_dns until it gets success.
> One oddity/ugliness of search that needs to be considered is that
> querying different address families may lead to differently-sourced
> results. For example if you query with ndots=2, a search
> domain of, and the following records present:
> A
> then an AF_UNSPEC or AF_INET query yields a v4-only result for
> while an AF_INET6 query "sees through" to the
> record because the search of fails. This seems
> quite ugly and counter-intuitive, but I don't see any way to do better
> that makes sense.

If that is how the records are laid out, I think you have to allow it.

> Also, are we agreed that queries with >=ndots dots, or a final dot (as
> in should never be searched (rather than searched after
> first trying them in the root)?

That sounds right.

I saw from a different thread that musl doesn't or didn't do TCP
fallbacks - is that still the case?  I know we need that for things
like large multi-SRV sets (which I do not expect libc to support), and
we have some people who have large A sets (which I do expect libc to

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.