On Mon, 18.05.15 12:26, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> I now agree with what Lennart proposed too. This is partially implemented > now, and with UseDomains=yes, option 15 is used to to set 'search' field. > > I think we should go a step further, and set UseDomains=yes by default, > to have 'search' populated in /etc/resolv.conf. I think the security > reservations are overstated: > iiuc, the concern was that multi-level domain names (i.e. those with at least > one dot) could be spoofed by controlling the search suffix. But for > names with at least two levels glibc only uses the search list as a > fallback. Well, sure, being able to influence things at the beginning of the search logic is more problematic than influencing things at the end of the search logic, but i still think it's problematic, since it still allows you to insert "home.foobar.com" into a domain "foobar.com" that doesn't have "home.foobar.com" itself but only "www.bar.com"... Sure, classic (non-DNSSEC) DNS is not ever going to be fully secure, but it I still believe we should default to the safer options, and allow the others. Altering the search paths is inherently something that makes no sense on public networks, it only makes sense if you know your network well, and trust it to some level. Hence opt-in sounds like the better option to me. > The story is sligthly different for single-level names. By setting > UseDomains=yes > we allow the dhcp server some control over the resolution of those names. > But that seems natural too. If we want to allow LLMR or avahi, allowing > the dhcp server to also control local name resolution seems a natural > extension. > > Any reservations for making UseDomains=yes the default? I'd really prefer if this stays opt-in. That said, I think it would be a really good idea to improve the documentation of DHCP= to suggest people to set UseDomains=yes if they need it. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
