raforg
commented
1 year ago Hi, and thanks again! However, I think this is really an issue for the Arch bind package. On Debian, Bind9 is split up into multiple packages: one for the server, one for its utilities, one for most of the client utilities, and one for host by itself:
bind9 (server) 1077k
bind9-dnsutils (nslookup + 5 others) 711k
bind9-host (host) 376k
ldnsutils (drill + 25 others) 755kSo, by solving a minor bloat issue on Arch, this change would create the very same (minor) issue on Debian. By using host, it only needs a 376k package, but this change would require a 755k package.
Would you consider creating an Arch package for host instead? That would also benefit any Arch user that wanted a pretty DNS client but didn't need a DNS server. Mind you, the Bind9 server is an excellent choice for a DNSSEC-enabled DNS server which is needed by danectl users. Not necessarily on the same server, but it is convenient.
More importantly, this change (as it is) would cause breakage for anyone who upgrades danectl from an earlier version unless they already have drill installed. That's not acceptable. I expect that host is more popular and more likely to be installed than drill.
For this issue to be fixed by danectl itself, it would need to be more complicated (which I'm not too in favour of). The prerequisite would have to be for "host (or drill)". The check_prerequisites() function would need to have host removed from the main list and have something like this added after it:
case "`which host 2>/dev/null`" in
/*)
HAVE_HOST=1
;;
*)
HAVE_HOST=0
;;
esac
case "`which drill 2>/dev/null`" in
/*)
HAVE_DRILL=1
;;
*)
HAVE_DRILL=0
;;
esac
[ $HAVE_HOST = 0 -a $HAVE_DRILL = 0 ] && die "Failed to find host or drill"The check_sshfp_prerequisites() function would need a similar change.
The host -t or drill commands would need to be replaced with a function something like this:
fetchdns()
{
if [ $HAVE_HOST = 1 ]
then
host -t "$@"
else
drill "$@"
fi
}And the regular expressions would have to be able to match the output of either program. Perhaps that could be made easier by piping the output of host in the fetchdns() function through sed to replace things like "has SSHFP record" to just "SSHFP". e.g.:
fetchdns()
{
if [ $HAVE_HOST ]
then
host -t "$@" | sed 's/has \(.*\) record/\1/'
else
drill "$@"
fi
}Also, there are several bugs in the patch. The -Q option for drill is inappropriate. It seems to suppress the output that is needed by danectl. Also, there is code that processes the output of host that hasn't been adapted for drill output, and there's a typo in some perl code where the =~ operator has lost its ~ (and other code was removed there that needs to be put back). I'm concerned that it might not be possible to handle the output of both in a single line per instance. Unless the fetchdns function is made more complex by adjusting the output of either or both commands so that they become the same.
And the patch doesn't handle TLSA, SMIMEA or OPENPGPKEY records yet. TLSA is the most important of all of them. You mentioned that OVH's DNS service doesn't support SMIMEA or OPENPGPKEY. Testing can be done with a local Bind9 server that is configured not to verify DNSSEC (since a local test zone that doesn't have the right DS records higher up the chain won't work if it is verifying DNSSEC).
So, what do you think? Should we add all of this additional complexity, and add to the testing burden, to save a few hundred kB, or can you create a smaller Arch package for host? I don't think changing danectl in this way would improve its code, and an Arch host package would benefit other Arch users whether they use danectl or not.
HLFH
@raforg Hi.
I was looking at packaging
danectlfor Arch Linux.On Arch Linux,
/bin/hostis provided bybindwhich makes the whole thing slightly bloated. Why not usingdrillinstead provided by the slimldnsutility?Here will be all the impacted functions: