On Mo, 28.09.20 22:54, Björn Persson (Bjorn@rombobjörn.se) wrote: > It can work in company-scope if the company has competent network > admins. My local DNS server at home resolves local hostnames to private > IPv4 addresses in the 192.168/16 block. Clients on the Internet see > another view. Both views are DNSsec-signed, and validation works fine. > There's no reason why this setup wouldn't work on a corporate network. > The key is to use a domain that is actually registered to the company, > not some made-up TLD like "internal" or whatever the incompetent > network admins come up with. You never take your laptop outside to a cafe or so? You never connected it to something that is not your home or office network? THing is most people do that, we need to have something that makes the best of such networks. > It would make more sense to select the "personality" based on what > interface the client uses, than based on a DO flag in the query: > Present actual standards-compliant DNS and nothing else on UDP and TCP > port 53, and return your own synthesized stuff to programs that call > getaddrinfo (and through the D-Bus interface I suppose). Nah, that does not work. The majority of C programs might go via getaddrinfo(), but a major chunk of what we ship in this distro simply does not, and does DNS natively. And I think that's totally OK. There needs to be IPC involved anyway, to isolate the DNS stack (i.e. resolved) from the client issuing the query. Whether that's D-Bus or Varlink or just simple local DNS datagrams doesn't really matter. > Nobody connects to port 53 expecting to get entries from /etc/hosts or > LLMNR. Programs that do this expect only DNS – and they're likely to > expect advanced DNS features to work, because they would have just > called getaddrinfo if they weren't interested in advanced features. It > could even be argued that returning non-DNS data through the DNS > protocol is wrong, but if you can do it without violating DNS standards, > then I don't think it will hurt. This is not the reality I live in though. New-style high level programming languages tend to avoid being just a wrapper around C APIs. And thus they implement minimal DNS clients themselves, ignoring the LLMNR, mDNS and so on. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
