[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#182886: libc6: local hostnames containing a dot get forwarded outside when doing host-lookups.

* Vassilii Khachaturov <vassilii@tarunz.org> [030228 20:21]:
> Quoting from resolv.conf(5):
>      options  Allows certain internal resolver variables to be modified.  The
>               syntax is
>                     options option ...
>               where option is one of the following:
>               debug     sets RES_DEBUG in _res.options.
>               ndots:n   sets a threshold for the number of dots which must
>                         appear in a name given to res_query() (see
>                         resolver(3)) before an initial absolute query will be
>                         made.  The default for n is ``1'', meaning that if
>                         there are any dots in a name, the name will be tried
>                         first as an absolute name before any search list ele-
>                         ments are appended to it.

Thanks, I missed that. Being placed unter "internal variables" and
"debug" seems to have tricked me in ignoring this part.

There should at least be a sentence "search" to indicate that one has
to read the ndots-part to get a real search-path.

> So it looks like to achieve what you suggest the ndots default 
> should be adjusted according to the local policy during the installation 
> process, right?

There is still the problem of an insecure default. Perhaps reassigning
a clone to the installer might be the best solution. 

	Bernhard R. Link
The man who trades freedom for security does not deserve 
nor will he ever receive either. (Benjamin Franklin)

Reply to: