> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote:
> As Russ already pointed out, the DNS standard is not an authority
> which defines the behaviour of the applicable APIs. Of course widely used
> implementations may create "de-facto standards" but this discussion shows
> that there is no apparent consensus about how name lookup is supposed
> to happen.
The problem is that we don't get:
1. Look up name from SRV in /etc/hosts, return address(es) if found
2. Look up same name in DNS, return address(es) if found
instead, in step 2, we may get undesirable, incorrect and/or costly
interactions with the stub resolver's domain search list. The name
in the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES
or RES_DNSRCH. The getaddrinfo(3) API provides no means to signal
that a name should not be subjected to the DNS search list.
Furthermore, if a domain's KDC list is not locally administered, and
you're delegating the KDC names to remotely administered DNS, local
overrides of the address resolution are no less costly than just
putting override kdcs in the [realms] section. Indeed the latter
is much less fragile.
Heimdal should be optimized for correct and reliable operation in normal
use first, and debugging hooks second. Thus I plan to partly revert the
changes in the "master" branch to ensure that names that are obtained
from SRV records are resolved without search list suffixes, by appending
"." in the getaddrinfo(3) hostname argument for such names. This will
match the behaviour of the MIT implementation.