Le vendredi 4 mars 2011 13:23:32, Ben Hutchings a écrit : > On Fri, 2011-03-04 at 08:15 +0100, Tollef Fog Heen wrote: > > ]] Ben Hutchings > > > > Hi, > > > > | On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote: > > | > To the extent this is a bug, it's a bug in the resolver that it does > > | > not treat names with dots in them as absolute, but relative. I know > > | > this is how it's been done in the past, but perhaps changing that to > > | > treating names with as absolute would be a better solution. > > | > > | echo >>resolv.conf options ndots:15 > > > > Thanks for the suggestion, but this does not seem to do what I want, I > > think? > > > > ndots:n > > > > sets a threshold for the number of dots which must appear in a name > > given to res_query(3) (see resolver(3)) before an initial absolute > > query will be made. The default for n is 1, meaning that if there > > are any dots in a name, the name will be tried first as an absolute > > name before any search list elements are appended to it. The value > > for this option is silently capped to 15. > > > > I'd like it to not append the search list if there are dots at all. > > You could stop being lazy and type the dot on the end too. ;-) > > > so doing «getent hosts foo.bar» will only generate a query for > > «foo.bar.», not for «foo.bar.$searchpath.» > > I misparsed your question because I assumed you were addressing the > > issue that Bastien pointed out in the message you replied to: > > main security problem is resolver, > > $host -v www.local > > www.local > > www.local.mydomain.com > > And I believe that the 'ndots' option does address that issue - to an > extent. You still need DNSSEC or application-layer security to verify > the answer, regardless of the presence of mDNS.
Not completly, it is a global default. I will prefer that mdns will be always solve as absolute name but want to use default for dns BTW ndots seems broken at least in my installation and https://bugs.launchpad.net/ubuntu/+source/linux/+bug/401202 Bastien Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201103042056.31423.roucaries.bast...@gmail.com
