On Wed, Sep 16, 2020 at 12:30:53PM +0000, Derek Wilson wrote: > https://github.com/systemd/systemd/issues/8967#issuecomment-391459667 > > Apparently the trailing dot "thing" never hits the wire?
it wouldn't matter. the trailing dot is implicit, so when explicit, it means the same as being absent. > At some point if all DNS clients start doing ridiculous things, do we worry > that it will break server side operations? At what point do clients abusing > protocols start becoming a problem for systems (like DNS) they misuse/abuse? the common BIND8/BIND4/BSD client library also uses a trailing dot as a signal; the signal is "do a query of the input string first, before trying the search list". this is both weak and confusing, but it's the signal path we had. > I probably yelled too much in that thread for it to be effective (sorry), > but maybe someone here has a back channel to systemd-resolved folks and can > advocate for proper handling of trailing dots? > > Or maybe I'm bothered over nothing - in which case I'd love to be convinced. i've asked that postfix please add a trailing dot to the names it looks up, because my dns trace logs show the search list being appended regardless of the setting of "options ndots:N" in /etc/resolv.conf. perhaps this can happen, because right now there's a huge exposure of private information (my search list) to noncontracted parties. getdnsapi.org offers a replacement for the OS library (or for the apps, since apps are now doing their own DNS independent of the OS's settings). the best single thing we could all do for dns goodness is to get systemd to adopt the getdnsapi library, which is license-compatible. raise your voice _there_ if you want the risk of improving the world. -- Paul Vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
