> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote: > > As Russ already pointed out, the DNS standard is not an authority > which defines the behaviour of the applicable APIs. Of course widely used > implementations may create "de-facto standards" but this discussion shows > that there is no apparent consensus about how name lookup is supposed > to happen.
The problem is that we don't get: 1. Look up name from SRV in /etc/hosts, return address(es) if found 2. Look up same name in DNS, return address(es) if found instead, in step 2, we may get undesirable, incorrect and/or costly interactions with the stub resolver's domain search list. The name in the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or RES_DNSRCH. The getaddrinfo(3) API provides no means to signal that a name should not be subjected to the DNS search list. Furthermore, if a domain's KDC list is not locally administered, and you're delegating the KDC names to remotely administered DNS, local overrides of the address resolution are no less costly than just putting override kdcs in the [realms] section. Indeed the latter is much less fragile. Heimdal should be optimized for correct and reliable operation in normal use first, and debugging hooks second. Thus I plan to partly revert the changes in the "master" branch to ensure that names that are obtained from SRV records are resolved without search list suffixes, by appending "." in the getaddrinfo(3) hostname argument for such names. This will match the behaviour of the MIT implementation. -- Viktor.