AI_SECURE_CANONNAME, AI_CANONNAME_SEARCH_* (Re: getaddrinfo() and searching)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

What a timely thread.

I've recently concluded that we need an extension to getaddrinfo() along
these lines, but I'm looking for somewhat tighter and more generic
semantics.

My proposal is to add an AI_SECURE_CANONNAME flag with the following
semantics:

 - it MUST be used with AI_CANONNAME

 - if set in the hints then it will be set in the results IFF:

    - the resulting ai_canonname == the nodename given as input

      or

    - the resulting ai_canonname was obtained securely, such as from a
      write-protected local hosts file, via DNSSEC, or via any other
      acceptably secure name service

      or

    - the resulting ai_canonname == nodename + '.' + default domain from
      the resolver's configuration (i.e., the _first_ domain in the
      search list)


Additional flags modifying for controlling search behaviour would be
nice, such as:

 - AI_CANONNAME_SEARCH_ANY

   Accept canonical names formed by successively trying the given
   nodename suffixed with the domainnames from the resolver's search
   list.  If this flag is used in the input hints then it will be set in
   the result IFF the domainname used to qualify the given nodename was
   not the first domain in the search list.

 - AI_CANONNAME_SEARCH_PARENTS

   Like AI_CANONNAME_SEARCH_ANY, but skip domainnames in the search list
   which are not parents (or grandparents) of the preceding domainname
   on the list.

 - AI_CANONNAME_SEARCH_SIBLINGS

   Like AI_CANONNAME_SEARCH_PARENTS, but search sibling domains in the
   search list too.

 - AI_CANONNAME_SEARCH_DEFAULT

   Allow whatever AI_CANONNAME_SEARCH_* behaviour is locally configured
   as a default for this flag.  If this flag is used in the input hints
   then one of the above will be set in the result to indicate which
   search policy was configured and used.  This flag might be all the
   other AI_CANONNAME_SEARCH_* flags ORed together.


I'm still researching this proposal.  We might want one more flag to
indicate whether unsecured NXDOMAIN replies can be/were processed during
search list processing, say, AI_SECURE_CANONNAME_SEARCH.

And we might not care to have so many AI_CANONNAME_SEARCH_* flags, maybe
AI_CANONNAME_SEARCH_ANY will do.

Comments?

Nico
-- 

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]