Bug#182886: libc6: local hostnames containing a dot get forwarded outside when doing host-lookups.
* Vassilii Khachaturov <email@example.com> [030228 20:21]:
> Quoting from resolv.conf(5):
> options Allows certain internal resolver variables to be modified. The
> syntax is
> options option ...
> where option is one of the following:
> debug sets RES_DEBUG in _res.options.
> ndots:n sets a threshold for the number of dots which must
> appear in a name given to res_query() (see
> resolver(3)) before an initial absolute query will be
> made. The default for n is ``1'', meaning that if
> there are any dots in a name, the name will be tried
> first as an absolute name before any search list ele-
> ments are appended to it.
Thanks, I missed that. Being placed unter "internal variables" and
"debug" seems to have tricked me in ignoring this part.
There should at least be a sentence "search" to indicate that one has
to read the ndots-part to get a real search-path.
> So it looks like to achieve what you suggest the ndots default
> should be adjusted according to the local policy during the installation
> process, right?
There is still the problem of an insecure default. Perhaps reassigning
a clone to the installer might be the best solution.
Bernhard R. Link
The man who trades freedom for security does not deserve
nor will he ever receive either. (Benjamin Franklin)