[Dnsmasq-discuss] wrong response code for no SRV record

Rahul Amaram rahul at synovel.com
Sun May 2 10:48:38 BST 2010 

Hi Simon,
Continuing with my previous discussion, I propose we have a 
configuration parameter such as "srv-host-nxdomain" or "nxdomain-hosts" 
using which we can force dnsmasq to force to return NXDOMAIN for any 
domains that we want to. What do you think?

Regards,
Rahul.

On Saturday 01 May 2010 02:59 PM, Rahul Amaram wrote:
> Well yes. I have encountered some problems with this. I am using 
> Kerberos in my company LAN. While performing kinit on my system, the 
> SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Now if 
> an NXDOMAIN is not returned but instead the default port 1 with empty 
> host is returned, the kinit command tries to further resolve that 
> empty host (which I think is replaced with <ROOT> somehow) and this 
> causes a extereme slowdown of kinit.
>
> I think there should be some configuration option to say that an 
> NXDOMAIN should be returned for a particular SRV record. This would be 
> really helpful. What are your thoughts about this?
>
> Simon Kelley wrote:
>> Rahul Amaram wrote:
>>> Hi,
>>> I think I have found a bug in dnsmasq though I am not sure if this is
>>> the anticipated way it works. In /etc/dnsmasq.conf, it is mentioned:
>>>
>>> # A SRV record indicating that there is no LDAP server for the domain
>>> # example.com
>>> #srv-host=_ldap._tcp.example.com
>>>
>>> which means when a query for this record is made it is supposed to send
>>> a NXDOMAIN reply but this does not happen.
>>>
>>> I am attaching a patch which makes it behave this way. Kindly review it
>>> and let me know if I have misinterpreted something.
>>>
>>> Looking forward to an early reply.
>>>
>>
>> I think you have mis-interpreted the way this works. NXDOMAIN means that
>> there is no data in the DNS for the given domain. That is not what's
>> happening here. The example line returns a valid SRV record for
>> _ldap._tcp.example.com which happens to be empty. The "domain" refers to
>> _ldap._tcp.example.com and not the domain which may be returned as part
>> of the reply.
>>
>>
>> Have you encountered real-world problems with the existing behaviour?
>>
>>
>> Cheers,
>>
>> Simon.
>
>

More information about the Dnsmasq-discuss mailing list