On Wed, Jul 26, 2017 at 03:08:30PM -0700, Henry B (Hank) Hotz, CISSP wrote:
> > Then the explicit trailing dots in /etc/hosts look indeed
> > like a reasonable trade-off.
>
> Actually, isn’t the trailing dot just a red herring?
No.
> The RR is guaranteed to return a name which has an A/ rec
I disagree.
While you are technically correct, in my experience most SAs know very well
what services are provided and where, but don’t know enough about DNS to know
what a RR is. For that level of knowledge, having /etc/hosts take precedence is
exactly the “least surprise” behavior.
> On Jul
> On Jul 26, 2017, at 10:29 AM, u-hd-p...@aetey.se wrote:
>
> On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
>> Viktor Dukhovni writes:
>>> 2. Look up same name in DNS, return address(es) if found
>>
>>> instead, in step 2, we may get undesirable, incorrect and/or costly
>>>
> On Jul 25, 2017, at 6:30 PM, Roland C. Dowdeswell
> wrote:
>
> And there are no KDCs configured in /etc/krb5.conf for the realm that
> you are querying, you will use DNS SRV RRs. And, we think that once you
> have retrieved hostnames from DNS SRV RRs that they should be looked up
> only in D
On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
>
> Right, the point is not that you can't override with /etc/krb5.conf, the
> point is that /etc/hosts normally overrides everything without having to
> hunt down software-specific configuration files.
But in this case /etc/hosts clea
On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
> Viktor Dukhovni writes:
> > 2. Look up same name in DNS, return address(es) if found
>
> > instead, in step 2, we may get undesirable, incorrect and/or costly
> > interactions with the stub resolver's domain search list. The nam
Viktor Dukhovni writes:
> The problem is that we don't get:
> 1. Look up name from SRV in /etc/hosts, return address(es) if found
> 2. Look up same name in DNS, return address(es) if found
> instead, in step 2, we may get undesirable, incorrect and/or costly
> interactions with the
> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote:
>
> As Russ already pointed out, the DNS standard is not an authority
> which defines the behaviour of the applicable APIs. Of course widely used
> implementations may create "de-facto standards" but this discussion shows
> that there is no
On Tue, Jul 25, 2017 at 09:48:11PM -0400, Roland C. Dowdeswell wrote:
> On Tue, Jul 25, 2017 at 11:20:57PM +0200, u-hd-p...@aetey.se wrote:
> > > As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
> > > defined in DNS and does not consult /etc/hosts in the middle of a
> >
> > You