[Bug network/24255] resolver should handle special domains correctly

["crrodriguez at opensuse dot org" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=24255

--- Comment #2 from Cristian Rodríguez <crrodriguez at opensuse dot org> ---
(In reply to Petr Menšík from comment #1)
> I do not think this is a good idea. If one is running a local cache on his
> machine, he might be able to forward onion. zone and all requests to it into
> TOR network to appropriate DNS servers.
> 
> That would be no longer possible if glibc blocked that query from DNS. I
> think we want it blocked only from forwarding to 3rd party servers. For
> example unbound or bind will create empty zones for it, blocking forwarding
> it to upstream DNS servers. That is what we want. It either handles it or
> blocks it.
> 
> I don't think this can be decided by glibc, it is not aware of configuration
> details of DNS. I would instead propose to have optional NSS hosts plugin
> with configurable blocklist, which could be put before dns in
> /etc/nsswitch.conf. If you would include onion in it, it would
> authoritatively say does not exist without allowing that in DNS. If you
> would have local dns cache able to configure this properly, it would not use
> such module.

This is not what the relevant standards say though.

" 3.  Name Resolution APIs and Libraries: Resolvers MUST either respond
       to requests for .onion names by resolving them according to
       [tor-rendezvous] or by responding with NXDOMAIN [RFC1035]."

glibc does not know and will probably never know by itself  how to
tor-rendezvous, it could of course do it using an nss-module which must come
before dns or files in /etc/nsswitch.conf ..but the dns and files module must
return NXDOMAIN on such names.

-- 
You are receiving this mail because:
You are on the CC list for the bug.