Re: search and ndots support in bind utilities

Thank you Paul, this document is far better than I hoped for. I have to improve my googling skills it seems. This is brilliant. On 9/30/19 5:35 PM, Paul Ebersman wrote: > pemensik> I am aware search is a no-no in DNS community. However, is > pemensik> there any public documentation to this

Re: search and ndots support in bind utilities

One more thing: what about disabling search lists? Can't I make a rule that "all FQDNs must be specified with a trailing dot (as documented to stop the use of search lists)"? You'd better test that thoroughly. Firefox still doesn't get the TLS host header right, and Apache doesn't toss its

Re: search and ndots support in bind utilities

Following https://www.icann.org/en/system/files/files/sac-064-en.pdf, it sounds like modest groups of Internet users (such as informal clubs) that don't have their own official domain (like "iment.com") are out of luck if they would like to have local subdomains -- unless they want to use the

Re: search and ndots support in bind utilities

The following is not specific to BIND, but concerns the operating environment for DNS software. Ebersman in a later post links to a document which foreshadows what I'm about to discuss. On Mon, 30 Sep 2019, Petr Mensik wrote: [...] I am aware search is a no-no in DNS community. That's

Re: search and ndots support in bind utilities

pemensik> I am aware search is a no-no in DNS community. However, is pemensik> there any public documentation to this change? Is there RFC pemensik> recommending not to use search or how it should be used, pemensik> related to today's top level domains? pemensik> While I agree it is dangerous,

Re: search and ndots support in bind utilities

Hi Mark, I am aware search is a no-no in DNS community. However, is there any public documentation to this change? Is there RFC recommending not to use search or how it should be used, related to today's top level domains? While I agree it is dangerous, there are still people using it. I think

Re: search and ndots support in bind utilities

Partially qualified names are inherently unsafe. Depending on applying the search list after trying the name as fully qualified is just plain dangerous as it depends on a NXDOMAIN response from a namespace not under your control to reach the service you are after. TLDs get added all the time.

search and ndots support in bind utilities

Hello, I got bug report [1] about different behavior of nslookup in 9.11 version compared to old 9.9 version. At first I thought this issue should be closed right away. But when I digged into changes in BIND, I could not find any reason for given change. It seems to me the effect was not desired.