> > Apparently the trailing dot "thing" never hits the wire? > > it wouldn't matter. the trailing dot is implicit, so when explicit, it means > the same as being absent.
Is a trailing dot not counted as part of ndots? Either way, resolved pick and choose which rtypes you can get back from a TLD regardless of trailing dot. I can get SOA and NS but not DS DNSKEY NSEC NSEC3 A or AAAA ... for SOA and NS I get NOERROR but for other things I get SERVFAIL ... which is ... confusing at best. application breaking at worst. > the common BIND8/BIND4/BSD client library also uses a trailing dot as a > signal; > the signal is "do a query of the input string first, before trying the search > list". this is both weak and confusing, but it's the signal path we had. That behavior makes sense to me but maybe that's because it's what I'm used to. > i've asked that postfix please add a trailing dot to the names it looks up, > because my dns trace logs show the search list being appended regardless of > the setting of "options ndots:N" in /etc/resolv.conf. perhaps this can happen, > because right now there's a huge exposure of private information (my search > list) to noncontracted parties. adding the trailing dot would not change behavior on systemd-resolved as far as i understand. This behavior IMO will cause more inadvertent data leaks which is the opposite of the claim being made by systemd. > getdnsapi.org offers a replacement for the OS library (or for the apps, since > apps are now doing their own DNS independent of the OS's settings). the best > single thing we could all do for dns goodness is to get systemd to adopt the > getdnsapi library, which is license-compatible. raise your voice _there_ if > you want the risk of improving the world. I hadn't seen that... thanks for the link. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
