This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: getaddrinfo with PF_UNSPEC and /etc/hosts
- From: Pekka Savola <pekkas at netcore dot fi>
- To: Ulrich Drepper <drepper at redhat dot com>
- Cc: Ben Collins <bcollins at debian dot org>, <libc-alpha at sources dot redhat dot com>, Solar Designer <solar at openwall dot com>, Harald Hoyer <harald at redhat dot de>
- Date: Fri, 23 Nov 2001 19:46:24 +0200 (EET)
- Subject: Re: getaddrinfo with PF_UNSPEC and /etc/hosts
On 23 Nov 2001, Ulrich Drepper wrote:
> Ben Collins <bcollins@debian.org> writes:
>
> > Which is why I said it was a hack, a workaround. It does have to do with
> > security. If you try to connect to "www.sun.com", and the DNS for a
> > domain in your search is hacked,
>
> If your search is hacked anything can happen. That's no argument.
> Again, there is no additional risk.
IMO,
There are two basic points for using /etc/hosts:
1) security; as it's statically configured, you don't need to trust DNS to
give the right answer (think cache poisoning and other attacks).
(note: I don't really see what Ben Collins tried to point out either)
2) reliability: in cases where DNS or network connectivity is off-line,
there would be no need for lookups for (more or less, in host vs. site
sense) local addresses.
(Additional note: in case private addresses are used in /etc/hosts (rather
common I think) queryinig them in the global DNS may be undesirable.)
Both of these arguments are broken by current getaddrinfo.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords