On 04/21/2017 05:08 PM, Bob Harold wrote:
I can understand you wanting a "getfqdn" function to return the FQDN (fully
qualified domain name) without doing canonicalization.
But just so we are clear on the DNS terms,
"access.redhat.com" and "access.redhat.com.edgekey.net" are "aliases"
"e133.b.akamaiedge.net" is the canonical name.
access.redhat.com is an alias for access.redhat.com.edgekey.net.
access.redhat.com.edgekey.net is an alias for e133.b.akamaiedge.net.
e133.b.akamaiedge.net has address 104.67.69.246
I'm aware of the terminology.
I just think that in terms of RFC 3493, it would make sense to restrict
the name transformation applied with AI_CANONNAME on the current
internet, i.e. clarify that here
If the AI_CANONNAME flag is specified and the nodename argument is
not null, the function shall attempt to determine the canonical name
corresponding to nodename (for example, if nodename is an alias or
shorthand notation for a complete name).
“alias” does not refer to CNAME chain resolution, but other forms of
alias processing (like the slightly historic HOSTALIASES processing).
This would help to address long-standing security issues in name
canonicalization, e.g. in Kerberos deployments.
Thanks,
Florian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
