Re: Bug#182886: libc6: local hostnames containing a dot get forwarded outside when doing host-lookups.

["Bernhard R. Link" <brl@pcpool00.mathematik.uni-freiburg.de>]

* Vassilii Khachaturov <vassilii@tarunz.org> [030228 20:21]:
> Quoting from resolv.conf(5):
> 
>      options  Allows certain internal resolver variables to be modified.  The
>               syntax is
>                     options option ...
>               where option is one of the following:
> 
>               debug     sets RES_DEBUG in _res.options.
> 
>               ndots:n   sets a threshold for the number of dots which must
>                         appear in a name given to res_query() (see
>                         resolver(3)) before an initial absolute query will be
>                         made.  The default for n is ``1'', meaning that if
>                         there are any dots in a name, the name will be tried
>                         first as an absolute name before any search list ele-
>                         ments are appended to it.

Thanks, I missed that. Being placed unter "internal variables" and
"debug" seems to have tricked me in ignoring this part.

There should at least be a sentence "search" to indicate that one has
to read the ndots-part to get a real search-path.

> So it looks like to achieve what you suggest the ndots default 
> should be adjusted according to the local policy during the installation 
> process, right?

There is still the problem of an insecure default. Perhaps reassigning
a clone to the installer might be the best solution. 

Hochachtungsvoll,
	Bernhard R. Link
-- 
The man who trades freedom for security does not deserve 
nor will he ever receive either. (Benjamin Franklin)