From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/8778 Path: news.gmane.org!not-for-mail From: "John Levine" Newsgroups: gmane.linux.lib.musl.general Subject: Re: Re: Would not love to see reconsideration for domain and search Date: 26 Oct 2015 02:14:32 -0000 Message-ID: <20151026021432.20049.qmail@ary.lan> References: <20151023042720.GE8645@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: ger.gmane.org 1445830869 21853 80.91.229.3 (26 Oct 2015 03:41:09 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 26 Oct 2015 03:41:09 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-8791-gllmg-musl=m.gmane.org@lists.openwall.com Mon Oct 26 04:41:05 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1ZqYee-0001bf-Ik for gllmg-musl@m.gmane.org; Mon, 26 Oct 2015 04:41:04 +0100 Original-Received: (qmail 11544 invoked by uid 550); 26 Oct 2015 03:41:03 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 15766 invoked from network); 26 Oct 2015 02:15:07 -0000 In-Reply-To: <20151023042720.GE8645@brightrain.aerifal.cx> X-Headerized: yes Xref: news.gmane.org gmane.linux.lib.musl.general:8778 Archived-At: >BTW I think there are other strong reasons to move to a model based on >a local nameserver that does the unioning, not just performance. The >most compelling is DNSSEC, which requires a trusted channel between >the nameserver and the stub resolver in order for results to be >meaningful/trusted. ... Yes, definitely. DNS search lists seemed like a good idea back in the 1980s. Then in 1990 they added .CS for Czechoslovakia to the DNS root, and in Computer Science departments all over the world, addresses like joe@frodo.cs stopped working, since the search list that used to turn it into joe@frodo.cs.stateu.edu didn't do that any more. ICANN has added about 600 new top level domains in the past two years, There's still nearly a thousand more in the pipeline, and they're talking about another round that will add thousands more. I went to a two day meeting about name collisions after the London ICANN meeting, and a great deal of the discussion was about how to flush out old search list queries before they started resolving wrong. If you want to have a local namespace overlaid on the DNS, it is not hard to configure bind or unbound to do that so, e.g. names in whatever.blah resolve locally. You can even configure in local DNSSEC anchors for .blah if you want. In that case if there's ever a global .blah TLD, your local users won't be able to see it, but your local applications will keep working. I'd strongly suggest that the lack of DNS search lists is a feature, and not to change it. R's, John