On Wed, 15 Oct 2003, Richard Lithvall wrote:
> In this case you don't honour the order of hosts lookup in
> /etc/nsswitch.conf.
> (Maybe someone want's to override the DNS-data by adding an /etc/hosts
> entry)
Quite. But what can I do? (See below).
On Wed, 15 Oct 2003, Terry Shows wrote:
> Don't forget the /etc/resolv.conf file in your discussion.
>
> I would suggest either giving us an option to define search orders, or to
> read the system configuration files (if available) to decide.
I don't want to have to interpret nsswitch.conf files. I could, of
course, provide an option.
On Thu, 16 Oct 2003, James P. Roberts wrote:
> Suggestion:
> (1) Use order specified in Exim config, if it exists.
> (2) If not, use system files if they exist.
> (3) If not, default to what Philip suggested.
I'm not happy with (2) because different systems may have different
files, and in any case, they may give the wrong answer. That's what
happened when I discovered this whole problem. Just to remind everybody:
1. Current releases call gethostbyaddr() to find a host name; this can
return a chain of hostent blocks for all the names of a host. However,
it appears that, in Linux, if a host that is found in the DNS has
multiple names, only one (at random) is returned. I consider this to be
a serious problem because it means that any policy controls that use
host names can potentially fail sometimes but not always, depending on
which one of several names is returned. An intermittent failure is
almost worse than not working at all.
2. A replacement for gethostbyaddr() that came in with IPv6 is
getipnodebyaddr(). However, though it was present in glibc 2.1.92-95, it
was removed again and deprecated in favour of getnameinfo(). [This is
just one of a numberof "false starts" with IPv6.] So I don't know if
getipnodebyaddr() does/did any better than gethostbyaddr().
3. getnameinfo() does not return a chain of hostents. It just returns
one string for the host name. Consequently, it has no way to return more
than one name, as far as I can see. I've done a bit of googling and I
see things like "It also "breaks" the TCP wrapper ("tcpd") because the
POSIX interface 'getnameinfo()' can't deal with multiple names being
returned by a reverse lookup." and "So while multiple in-addr.arpa
entries are legal there is code (fairly new/recent code at that) which
doesn't/can't deal with it."
All of this points to: BIG PROBLEM.
I am prepared, if enough people want it, to add an option to make Exim
try gethostbyaddr (or getipnodebyaddr()) before it does a direct DNS
call, but I am not prepared to make this the default, because it is a
huge gotcha. I will put a lot of warnings into the documentation if I do
implement this. Maybe the gotcha doesn't bite very often at present, but
things might change.
NOTE: a similar change was made to the manualroute router when we found
that gethostbyname() in some cases could return "no such host" instead
of "try again" when the DNS lookup timed out or gave a DNS error. It
appears that the integration of different lookup sources (files, DNS) is
less than perfect in many cases. I've had no complaints since I changed
manualroute for release 4.11.
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.