Package: libnss-mdns
Version: 0.8-6
Severity: serious
Hi!
The configuration that is patched into /etc/nsswitch.conf by
libnss-mdns 0.8-6 is just plain broken and against everything upstream
(who happens to be me) or any other person who has any clue
about mDNS recommends.
The line upstream suggests looks like this:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
This line resembles closely the behaviour MacOSX - the OS which
pioneered mDNS - exposes. Everything else is much worse in its behaviour.
In contrast, the line your package version adds has several
disadvantages, among them:
* Slows down all mDNS lookups
* Breaks mDNS lookups when the configured DNS server is not
reachable (!)
* Is a security hole, because local host info is leaked on unicast
dns server and as such the internet
* Is a security hole, because people on the internet can
redirect local services to other hosts
* Increases the burden on internet DNS servers needlessly. (This is
a major problem which caused the creation of projects like AS112)
* Breaks mDNS RR consistency because the unicast DNS zone .local is
kind-of merged with the multicast DNS zone .local. However, the
conflict protocol which makes sure that no two host names or
service names conflict in the .local zone simply doesn't work
against names from the .local unicast domain.
In short: while upstream proposes a sensible, working line, your
package pointlessly fucks it up and is thus simply broken.
Sure, the line upstream recommends has also one disadvantage, which is
that it is inherently incompatible with unicast DNS domains called
.local. But that's the way mDNS has been designed, and is a simple fact
that has to be dealt with administratively and not through applying
ugly kludges to upstream's clean code.
For further discussion see bug #388864 where many points mentioned
above were already discussed.
Several people showed interest in maintaining nss-mdns in Debian. As
you seem to give a fuck about upstream's technical opinion on these
issues or even on the opinions of the mDNS/DNS-SD *designers*, and it
is clear that your relationship to upstream is not the best, may I
suggest that you simply orphan this package and have someone else
looking after it?
I am fully aware that you happen to have access to a network where
.local is a unicast domain name. Due to this you seem to value
compatiblity with that network more than correct behaviour of
mDNS. However, Debian is not just about you, but about its users - all
of them.
If you insist that your line is the better one and refuse to change it
to the line I recommend and don't want to orphan the package, then I
kindly ask you to fork my package and rename your copy. And please
don't put "mdns" in the new package name, since the behaviour you
advocate is clearly not the standard mDNS behaviour. Please understand
that I don't want to be connected to the broken behaviour your
nss-mdns package exposes any longer.
Lennart
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libnss-mdns depends on:
ii base-files 3.1.16 Debian base system miscellaneous f
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
libnss-mdns recommends no packages.
-- no debconf information
--
Lennart Poettering; lennart [at] poettering [dot] net
ICQ# 11060553; GPG 0x1A015CC4; http://0pointer.net/lennart/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
