BIND will completely drop D-BUS dynamic forwarders table support

Roberto Ragusa mail at robertoragusa.it
Fri Dec 28 22:01:29 UTC 2007


Chris Adams wrote:
> Once upon a time, Roberto Ragusa <mail at robertoragusa.it> said:
>> But there is another problem which I'm not able to solve easily:
>> if you try to resolve www.google.com and you have
>> "search my.corp.com" in /etc/resolv.conf, a query for
>> www.google.com.my.corp.com will be tried first.
>> The only solution I know is to use "www.google.com.",
>> with a final dot, but that would mean changing every domain
>> in every config (including rewiring my brain to always
>> append an extra dot :-) ).
> 
> That would be a bug according to the documentation.  If at least 1 (by
> default) dot appears, the initial query is supposed to be the absolute
> query.  See the man pages for resolv.conf and resolver.  I don't see the
> same behvior (it works the documented way for me).

Hmm, I was sure to have often seen this stuff in wireshark logs.

Done some tests, with following results.

If you have a dot at the end, it's an absolute query and nothing else.

If you don't have a dot at the end and you are below ndots threshold,
suffixed queries and nothing else.

If you don't have a dot at the end and you are at/above ndots threshold,
absolute query and (on failure) then suffixed queries.

So, you're right in correcting me: in normal conditions the resolver
is not leaking info about the domain I visit to my.corp.com DNS servers.
But it indeed happens when I mistype www.google.xom for
www.google.com, as it attempts www.google.xom.my.corp.com.

It would be nice to have a hard ndots option:
"only try suffixes if less than ndots dots"

Rethinking about it...
ndots currently can avoid the absolute query.
No way to avoid the suffixed queries.

What about having two options:
- mindotsforabsolute (a.k.a. ndots, default 1)
- maxdotsforsuffixed (new option to avoid suffixed queries, default
infinite, but in my case I'd like to put a 0 here)

What is the right place to propose that as an enhancement?

Best regards.
-- 
   Roberto Ragusa    mail at robertoragusa.it




More information about the fedora-devel-list mailing list