Re: How to disable DNS lookups?

2017-07-26 Thread u-hd-phes
On Tue, Jul 25, 2017 at 09:48:11PM -0400, Roland C. Dowdeswell wrote: > On Tue, Jul 25, 2017 at 11:20:57PM +0200, u-hd-p...@aetey.se wrote: > > > As you can see, getaddrinfo(3) will only use DNS to chase the CNAME > > > defined in DNS and does not consult /etc/hosts in the middle of a > > > > You

Re: How to disable DNS lookups?

2017-07-26 Thread Russ Allbery
Viktor Dukhovni writes: > The problem is that we don't get: > 1. Look up name from SRV in /etc/hosts, return address(es) if found > 2. Look up same name in DNS, return address(es) if found > instead, in step 2, we may get undesirable, incorrect and/or costly >

Re: How to disable DNS lookups?

2017-07-26 Thread Viktor Dukhovni
> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote: > > As Russ already pointed out, the DNS standard is not an authority > which defines the behaviour of the applicable APIs. Of course widely used > implementations may create "de-facto standards" but this discussion shows > that there is

Re: How to disable DNS lookups?

2017-07-26 Thread Thor Lancelot Simon
On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote: > > Right, the point is not that you can't override with /etc/krb5.conf, the > point is that /etc/hosts normally overrides everything without having to > hunt down software-specific configuration files. But in this case /etc/hosts

Re: How to disable DNS lookups?

2017-07-26 Thread u-hd-phes
On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote: > Viktor Dukhovni writes: > > 2. Look up same name in DNS, return address(es) if found > > > instead, in step 2, we may get undesirable, incorrect and/or costly > > interactions with the stub resolver's

Re: How to disable DNS lookups?

2017-07-26 Thread Henry B (Hank) Hotz, CISSP
> On Jul 26, 2017, at 10:29 AM, u-hd-p...@aetey.se wrote: > > On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote: >> Viktor Dukhovni writes: >>> 2. Look up same name in DNS, return address(es) if found >> >>> instead, in step 2, we may get undesirable,

Re: How to disable DNS lookups?

2017-07-26 Thread Henry B (Hank) Hotz, CISSP
> On Jul 25, 2017, at 6:30 PM, Roland C. Dowdeswell > wrote: > > And there are no KDCs configured in /etc/krb5.conf for the realm that > you are querying, you will use DNS SRV RRs. And, we think that once you > have retrieved hostnames from DNS SRV RRs that

Re: How to disable DNS lookups?

2017-07-26 Thread Henry B (Hank) Hotz, CISSP
I disagree. While you are technically correct, in my experience most SAs know very well what services are provided and where, but don’t know enough about DNS to know what a RR is. For that level of knowledge, having /etc/hosts take precedence is exactly the “least surprise” behavior. > On

Re: How to disable DNS lookups?

2017-07-26 Thread Viktor Dukhovni
On Wed, Jul 26, 2017 at 03:08:30PM -0700, Henry B (Hank) Hotz, CISSP wrote: > > Then the explicit trailing dots in /etc/hosts look indeed > > like a reasonable trade-off. > > Actually, isn’t the trailing dot just a red herring? No. > The RR is guaranteed to return a name which has an A/