What a timely thread.
I've recently concluded that we need an extension to getaddrinfo() along
these lines, but I'm looking for somewhat tighter and more generic
semantics.
My proposal is to add an AI_SECURE_CANONNAME flag with the following
semantics:
- it MUST be used with AI_CANONNAME
- if set in the hints then it will be set in the results IFF:
- the resulting ai_canonname == the nodename given as input
or
- the resulting ai_canonname was obtained securely, such as from a
write-protected local hosts file, via DNSSEC, or via any other
acceptably secure name service
or
- the resulting ai_canonname == nodename + '.' + default domain from
the resolver's configuration (i.e., the _first_ domain in the
search list)
Additional flags modifying for controlling search behaviour would be
nice, such as:
- AI_CANONNAME_SEARCH_ANY
Accept canonical names formed by successively trying the given
nodename suffixed with the domainnames from the resolver's search
list. If this flag is used in the input hints then it will be set in
the result IFF the domainname used to qualify the given nodename was
not the first domain in the search list.
- AI_CANONNAME_SEARCH_PARENTS
Like AI_CANONNAME_SEARCH_ANY, but skip domainnames in the search list
which are not parents (or grandparents) of the preceding domainname
on the list.
- AI_CANONNAME_SEARCH_SIBLINGS
Like AI_CANONNAME_SEARCH_PARENTS, but search sibling domains in the
search list too.
- AI_CANONNAME_SEARCH_DEFAULT
Allow whatever AI_CANONNAME_SEARCH_* behaviour is locally configured
as a default for this flag. If this flag is used in the input hints
then one of the above will be set in the result to indicate which
search policy was configured and used. This flag might be all the
other AI_CANONNAME_SEARCH_* flags ORed together.
I'm still researching this proposal. We might want one more flag to
indicate whether unsecured NXDOMAIN replies can be/were processed during
search list processing, say, AI_SECURE_CANONNAME_SEARCH.
And we might not care to have so many AI_CANONNAME_SEARCH_* flags, maybe
AI_CANONNAME_SEARCH_ANY will do.
Comments?
Nico
--
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf