Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: 26 Oct 2015 02:14:32 -0000
From: "John Levine" <>
Subject: Re: Re: Would not love to see reconsideration for domain and search

>BTW I think there are other strong reasons to move to a model based on
>a local nameserver that does the unioning, not just performance. The
>most compelling is DNSSEC, which requires a trusted channel between
>the nameserver and the stub resolver in order for results to be
>meaningful/trusted. ...

Yes, definitely.

DNS search lists seemed like a good idea back in the 1980s.  Then in
1990 they added .CS for Czechoslovakia to the DNS root, and in
Computer Science departments all over the world, addresses like stopped working, since the search list that used to turn
it into didn't do that any more.

ICANN has added about 600 new top level domains in the past two years,
There's still nearly a thousand more in the pipeline, and they're
talking about another round that will add thousands more.  I went to a
two day meeting about name collisions after the London ICANN meeting,
and a great deal of the discussion was about how to flush out old
search list queries before they started resolving wrong.

If you want to have a local namespace overlaid on the DNS, it is not
hard to configure bind or unbound to do that so, e.g. names in
whatever.blah resolve locally.  You can even configure in local DNSSEC
anchors for .blah if you want.  In that case if there's ever a global
.blah TLD, your local users won't be able to see it, but your local
applications will keep working.

I'd strongly suggest that the lack of DNS search lists is a feature,
and not to change it.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.