current-users: Re: HEADS UP: nsswitch about to go `live' in NetBSD-current

Subject: Re: HEADS UP: nsswitch about to go `live' in NetBSD-current
To: None <lukem@netbsd.org>
From: Paul Wain <paul.wain@nc.com>
List: current-users
Date: 01/17/1999 01:24:40

Im trying to sit on the fence on this one, and come up with constructive
comments. That said...

Personally, I have to admit that I come down on the side of making Luke's new
defaults the norm. When I did my first NetBSD/arm32 install way back when (Jan
'97) it bugged me the default was "bind file" and not "file bind", especially
since you had to authorize a machine against various network services in the
environment I was in which meant large time-out delays to get any DNS lookup
working. Lets just say the Emerald Towers were a little paranoid on security :)

I think however the 2 most compelling arguments in favour of the new defaults
are theses:

1 - "What you expect to happen". If I take a new install, and add a machine in
/etc/hosts, I really would expect that any DNS lookup on that host would
immediately hit that file 1st. For example (paraphrasing files) I have an entry
for "loki loki.brunel.ac.uk" in my hosts file. There is also a "loki.nc.com" and
my resolv.conf file has "search client.nc.com nc.com" in it. When I type "telnet
loki" where should it go if I have a default install? I really expect it to go
to "loki.brunel.ac.uk" and not "loki.nc.com" since I have an explicit hosts
entry. (I know this is a convoluted example since I know enough about
resolv.conf to have a search path in it, but you get the idea).

2 - As mentioned, there is a DNS spoofing prevention benefit to having the
default, out of the box being "file bind". Security is good (sometimes :)

I also wonder, what percentage of "never installed before" type users expect the
DNS server to overrule their hosts file? Of course all this also suggests we
need to move away from any form of manual install to, by default, making people
use sysinst unless they really know what they are doing.

Finally, how would this damage people who liked the old "bind file" method? My
question being would it make your DNS lookups slower or faster? Do you really
expect that behavior or do you just not want to change it (honest question -
really - Im not inferring anything)?

Paul.