Hi Pavel,
since authselect already advertises features for profiles regarding mdns as:
--with-mdns4
--with-mdns6
it would be great if the profile feature logically matched what is going
to be enabled - --with-mdn4 will put 'mdns4' into 'hosts' in
nsswitch.conf instead of current mdns_minimal.
AFAIK from Avahi people (pemensik in CC) I wouldn't go for mdns and
mdns_minimal, because hostname->IPv6 + hostname->IPv4 address
resolutions are currently made in sequence in Avahi, so the getting the
result will be unnecessary delayed if one of them is not defined.
IIUC nss-mdns README, the main difference between mdns4 and
mdns4_minimal is /etc/mdns.allow file support, which can allow bypassing
heuristics and allows user to do mDNS queries in conflict to mDNS
standard (f.e. standard specifies that only .local or .local. domains
can be used for mDNS) - although it would be great if networks were up
to the standards, it is not a case in reality. We had this issue
https://bugzilla.redhat.com/show_bug.cgi?id=2148500 , where ISP injected
DNS server which defined 'local' domain as classic DNS record, breaking
mDNS resolution in whole user's environment. Fortunately Petr came up
with solution for it (now nss-mdns does always mDNS lookup for .local,
but if there is DNS SOA for .local and mDNS lookup didn't succeed, moves
to DNS), so this scenario doesn't need mdns.allow anymore, but IMO there
could be other divergence from standards in the networks, so having the
option to use mdns.allow in default configuration is welcome.
So what I would propose:
- use mdns4/mdns6 with authselect --with-mdns4 and --with-mdns6 profile
features instead of _minimal to honor name logic,
- don't use mdns/mdns_minimal - if someone wants to use it, he can
enable both features separately,
- if someone would like to use mdns4/6_minimal, he can opt-out from
authselect and update nsswitch.conf manually.
@Adam, @Petr, please let me know if there are other things to consider
or disadvantages in this.
Zdenek
On 7/31/23 14:47, Pavel Březina wrote:
Hi Fedora,
I have this ticket opened against authselect:
https://github.com/authselect/authselect/issues/334
I am not user of mdns myself, so I wonder if non-minimal version of
mdns is something used and if it should be included in the authselect
profiles (or even replace the minimal version).
mdns support is already complicated since there are mdns, mdns4 and
mdns6 full and minimal versions of the module. Is it really required
nowadays? In might opinion, it might be good to move the logic out of
nsswitch into a configuration file.
Thank you for your feedback,
Pavel.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Dohnal
Senior Software Engineer
Red Hat, BRQ-TPBC
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue