Re: [mif] [dnsext] [DNSOP] 2nd Last Call for MIF DNS server selection document

[Mark Andrews <marka@isc.org>]

In message <CB52BAAF-F38F-4815-9B91-4656F1F3837F@insensate.co.uk>, Lawrence Con
roy writes:
> Hi there Doug, Keith, folks,
>  Speaking of broken mechanisms ... how many dots?
> arstechnica.com is OK
>       co.uk is not OK
> 
> ndots strikes me as a chocolate soldier in the fire used to warm the 
> chocolate teapot that is search lists.
> 
> At best these are context dependent (and keep IT support in business). At 
> worst ...
>  one day I WILL be arrested for tazering the bean counter (why is it 
> always one of
>  those?) who insists that "intranet" is a fine web server name useful 
> anywhere.
> 
> [I came damn close a few times with Yankee hotel reservations accessible 
> only via
>  1-800 'phone numbers]
> 
> Speaking of interoperability -- the comment "it works for everyone here" 
> is not
>  a good sign that the solution is interoperable.
> 
> IMO, search lists and ndots are both abominations, and should not be 
> given the oxygen of publicity.
> 
> all the best,
>   Lawrence
> 
> 
> 
> On 24 Oct 2011, at 21:52, Doug Barton wrote:
> > On 10/24/2011 05:16, Keith Moore wrote:
> >> That's the point - search lists are not appropriate most of the time, 
> and it's very hard for software to distinguish the cases where they are 
> potentially appropriate from the cases when they're not, and it's not 
> possible for software to do this in all cases.
> > 
> > There's been something missing from this discussion, and I finally put
> > my finger on it. TMK most stub resolvers have an option similar to this
> > one from ISC's:
> > 
> > ndots:n
> >        sets a threshold for the number of dots which
> >        must appear in a name given to res_query() (see
> >        resolver(3)) before an initial absolute query
> >        will be made.  The default for n is “1”, mean‐
> >        ing that if there are any dots in a name, the
> >        name will be tried first as an absolute name
> >        before any search list elements are appended to
> >        it.
> > 
> > So it seems that this question is already a matter of local policy,
> > which given the number and quality of the divergent views seems
> > eminently reasonable. Can we move on now?
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

In many cases when ndots is not 1 there are no DNS entries that
will match <any-tld>.<search-list-entry>.  That said the set of
<any-tld> is growing so it is going to get harder and harder to
ensure that this condition is being met.

Walled gardens shouldn't be creating their own TLDs.  ISP's, hotspots,
etc. should not be search list at all.  The definitely should not
be relying on "label" being found on a search list.

As far as I can tell there are only two places where setting search
list make sense.

	1. Enterprises.
	2. Homes.

Everywhere else you DO NOT control the machine requesting the address
and setting search lists could actually result in criminal prosecution.
Just because the machine requested a search list it doesn't mean
that you should be supplying one.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org