Re: search and ndots support in bind utilities

2019-10-01 Thread Petr Mensik
Thank you Paul, this document is far better than I hoped for. I have to improve my googling skills it seems. This is brilliant. On 9/30/19 5:35 PM, Paul Ebersman wrote: > pemensik> I am aware search is a no-no in DNS community. However, is > pemensik> there any public documentation to this change

Re: search and ndots support in bind utilities

2019-09-30 Thread m3047
One more thing: what about disabling search lists? Can't I make a rule that "all FQDNs must be specified with a trailing dot (as documented to stop the use of search lists)"? You'd better test that thoroughly. Firefox still doesn't get the TLS host header right, and Apache doesn't toss its bre

Re: search and ndots support in bind utilities

2019-09-30 Thread Paul Kosinski via bind-users
Following https://www.icann.org/en/system/files/files/sac-064-en.pdf, it sounds like modest groups of Internet users (such as informal clubs) that don't have their own official domain (like "iment.com") are out of luck if they would like to have local subdomains -- unless they want to use the quite

Re: search and ndots support in bind utilities

2019-09-30 Thread m3047
The following is not specific to BIND, but concerns the operating environment for DNS software. Ebersman in a later post links to a document which foreshadows what I'm about to discuss. On Mon, 30 Sep 2019, Petr Mensik wrote: [...] I am aware search is a no-no in DNS community. That's barely

Re: search and ndots support in bind utilities

2019-09-30 Thread Paul Ebersman
pemensik> I am aware search is a no-no in DNS community. However, is pemensik> there any public documentation to this change? Is there RFC pemensik> recommending not to use search or how it should be used, pemensik> related to today's top level domains? pemensik> While I agree it is dangerous, the

Re: search and ndots support in bind utilities

2019-09-30 Thread Petr Mensik
Hi Mark, I am aware search is a no-no in DNS community. However, is there any public documentation to this change? Is there RFC recommending not to use search or how it should be used, related to today's top level domains? While I agree it is dangerous, there are still people using it. I think we

Re: search and ndots support in bind utilities

2019-09-26 Thread Mark Andrews
Partially qualified names are inherently unsafe. Depending on applying the search list after trying the name as fully qualified is just plain dangerous as it depends on a NXDOMAIN response from a namespace not under your control to reach the service you are after. TLDs get added all the time. On

search and ndots support in bind utilities

2019-09-26 Thread Petr Mensik
Hello, I got bug report [1] about different behavior of nslookup in 9.11 version compared to old 9.9 version. At first I thought this issue should be closed right away. But when I digged into changes in BIND, I could not find any reason for given change. It seems to me the effect was not desired.