From: Tim Hockin <thockin@google.com>
To: musl@lists.openwall.com
Subject: Re: Re: Would love to see reconsideration for domain and search
Date: Thu, 22 Oct 2015 22:37:53 -0700 [thread overview]
Message-ID: <CAO_RewY7EnLRSHKNDbs4GvMxuHp=J3tAW3ZONN=wMKuBsrpebg@mail.gmail.com> (raw)
In-Reply-To: <20151023053108.GG8645@brightrain.aerifal.cx>
On Thu, Oct 22, 2015 at 10:31 PM, Rich Felker <dalias@libc.org> wrote:
>> > BTW I think there are other strong reasons to move to a model based on
>> > a local nameserver that does the unioning, not just performance. The
>> > most compelling is DNSSEC, which requires a trusted channel between
>> > the nameserver and the stub resolver in order for results to be
>> > meaningful/trusted. In the future everybody should be running a
>> > nameserver on localhost to do DNSSEC signature validation. In that
>> > scheme, resolv.conf would just contain 127.0.0.1 (or could be omitted
>> > entirely since that's the default, at least on musl).
>>
>> I can see a local nameserver doing resolution, but doing search
>> expansion seems like a stretch (and superfluous since it is local).
>
> Search would also get a lot of performance benefit from doing in the
> caching nameserver, but I agree with your assessment that it's a
> separate issue and that there's no _need_ to do it at that level to
> ensure correctness. So for now let's focus on a plan for adding
> suitable search domain support in musl.
Sounds right.
> I believe search only affects DNS queries, not hosts file lookups,
Also my understanding
> right? So it should be at the name_from_dns stage in lookup_name.c.
> The simplest implementation approach is probably to wrap name_from_dns
> with a name_from_dns_search function that reads the search domains and
> repeatedly calls name_from_dns until it gets success.
>
> One oddity/ugliness of search that needs to be considered is that
> querying different address families may lead to differently-sourced
> results. For example if you query example.us with ndots=2, a search
> domain of example.com, and the following records present:
>
> example.us.example.com A
> example.us AAAA
>
> then an AF_UNSPEC or AF_INET query yields a v4-only result for
> example.us.example.com while an AF_INET6 query "sees through" to the
> example.us record because the search of example.com fails. This seems
> quite ugly and counter-intuitive, but I don't see any way to do better
> that makes sense.
If that is how the records are laid out, I think you have to allow it.
> Also, are we agreed that queries with >=ndots dots, or a final dot (as
> in example.com.) should never be searched (rather than searched after
> first trying them in the root)?
That sounds right.
I saw from a different thread that musl doesn't or didn't do TCP
fallbacks - is that still the case? I know we need that for things
like large multi-SRV sets (which I do not expect libc to support), and
we have some people who have large A sets (which I do expect libc to
support).
next prev parent reply other threads:[~2015-10-23 5:37 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 21:24 Tim Hockin
2015-10-22 21:56 ` Rich Felker
2015-10-22 22:36 ` Tim Hockin
2015-10-22 23:00 ` Josiah Worcester
2015-10-22 23:37 ` Tim Hockin
2015-10-23 4:27 ` Rich Felker
2015-10-23 5:13 ` Tim Hockin
2015-10-23 5:31 ` Rich Felker
2015-10-23 5:37 ` Tim Hockin [this message]
2015-10-23 6:00 ` Rich Felker
2015-10-23 6:04 ` Tim Hockin
2016-01-29 0:57 ` Rich Felker
2015-10-27 0:30 ` Rich Felker
2015-10-27 0:37 ` Tim Hockin
2015-10-27 0:45 ` Rich Felker
2015-10-27 8:11 ` u-uy74
2015-11-28 22:48 ` Jan Broer
2015-11-28 23:20 ` Rich Felker
2015-11-29 3:06 ` Jan Broer
2016-01-29 0:58 ` Rich Felker
2015-10-26 2:14 ` Re: Would not " John Levine
2015-10-26 5:14 ` Tim Hockin
2015-10-26 16:16 ` Rich Felker
2015-10-26 17:41 ` John Levine
2015-10-26 18:08 ` Rich Felker
2015-10-23 8:12 ` Re: Would " u-uy74
2015-10-23 9:35 ` Laurent Bercot
2015-10-23 12:23 ` Laurent Bercot
2015-10-23 15:57 ` Tim Hockin
2015-10-23 5:26 ` Kurt H Maier
2015-10-24 21:33 ` Tim Hockin
2015-10-24 21:57 ` Kurt H Maier
2015-10-24 23:31 ` Rich Felker
2015-10-24 22:02 ` Rich Felker
2015-10-24 22:32 ` Tim Hockin
2015-10-25 8:20 ` u-uy74
2015-10-25 13:06 ` Jan Broer
2015-10-25 13:19 ` u-uy74
2015-10-25 13:39 ` Jan Broer
2015-10-25 14:08 ` u-uy74
2015-10-25 19:08 ` Rich Felker
2015-10-26 1:26 ` Isaac Dunham
2015-10-26 15:35 ` Rich Felker
2015-10-23 15:30 Jan Broer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAO_RewY7EnLRSHKNDbs4GvMxuHp=J3tAW3ZONN=wMKuBsrpebg@mail.gmail.com' \
--to=thockin@google.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).