This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: getaddrinfo with PF_UNSPEC and /etc/hosts

From: Ben Collins <bcollins at debian dot org>
To: Pekka Savola <pekkas at netcore dot fi>
Cc: libc-alpha at sources dot redhat dot com
Date: Fri, 23 Nov 2001 13:01:23 -0500
Subject: Re: getaddrinfo with PF_UNSPEC and /etc/hosts
References: <m3y9kxo0dm.fsf@myware.mynet> <Pine.LNX.4.33.0111231938450.4996-100000@netcore.fi>

On Fri, Nov 23, 2001 at 07:46:24PM +0200, Pekka Savola wrote:
> On 23 Nov 2001, Ulrich Drepper wrote:
> > Ben Collins <bcollins@debian.org> writes:
> > 
> > > Which is why I said it was a hack, a workaround. It does have to do with
> > > security. If you try to connect to "www.sun.com", and the DNS for a
> > > domain in your search is hacked,
> > 
> > If your search is hacked anything can happen.  That's no argument.
> > Again, there is no additional risk.
> 
> IMO,
> 
> There are two basic points for using /etc/hosts:
> 
> 1) security; as it's statically configured, you don't need to trust DNS to 
> give the right answer (think cache poisoning and other attacks).
> (note: I don't really see what Ben Collins tried to point out either)
> 
> 2) reliability: in cases where DNS or network connectivity is off-line, 
> there would be no need for lookups for (more or less, in host vs. site 
> sense) local addresses.
> 
> (Additional note: in case private addresses are used in /etc/hosts (rather
> common I think) queryinig them in the global DNS may be undesirable.)
> 
> Both of these arguments are broken by current getaddrinfo.

My point was this:

If I do a lookup for "www.sun.com" with PF_UNSPEC, it starts searching
in this order:

www.sun.com		AAAA
www.sun.com.debian.org	AAAA
www.sun.com.visi.net	AAAA
www.sun.com		A
www.sun.com.debian.org	A
www.sun.com.visi.net	A

With my patch, it does this:

www.sun.com		AAAA
www.sun.com		A
www.sun.com.debian.org	AAAA
www.sun.com.visi.net	AAAA
www.sun.com.debian.org	A
www.sun.com.visi.net	A


This was the original problem. The problem you are discussing is two
fold. One, getaddringo almost always requires a DNS lookup, and Two, the
resolver has bad ordering for UNSPEC. My patch only takes care of number
"2".



Ben



-- 
 .----------=======-=-======-=========-----------=====------------=-=-----.
/                   Ben Collins    --    Debian GNU/Linux                  \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

References:
- Re: getaddrinfo with PF_UNSPEC and /etc/hosts
  - From: Ulrich Drepper
- Re: getaddrinfo with PF_UNSPEC and /etc/hosts
  - From: Pekka Savola

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]