On Thu, Feb 27, 2014 at 01:02:27PM +1100, Mark Andrews wrote:
> Additionally res_search should only proceed to the next name on
> NXDOMAIN. Currently it is type sensitive which is a hold over from
> the when always appended the first search element regardless of the
> number of labels in it and handling wildcard MX records. If you had
> a MX record like
>
> *.element.in.search.list MX 0 some.server
>
> you didn't want to stop a search for A records for foo.example.net.
Looking at somewhat recent NetBSD source:
switch (statp->res_h_errno) {
case NO_DATA:
got_nodata++;
/* FALLTHROUGH */
case HOST_NOT_FOUND:
/* keep trying */
break;
case TRY_AGAIN:
if (hp->rcode == SERVFAIL) {
/* try next search element, if any */
got_servfail++;
break;
}
/* FALLTHROUGH */
default:
/* anything else implies that we're done */
done++;
}
we see that searching continues with NXDOMAIN, NODATA, and also
SERVFAIL! As no tracking of the security status of NXDOMAIN or
NODATA takes place, unaware applications can get false "secure"
results when RES_DNSRCH is enabled.
I don't know how the new "getdns" handles mixing of DNSSEC and
appending suffixes.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
