Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 31 Mar 2018 12:42:17 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: William Pitcock <nenolod@...eferenced.org>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH] resolver: only exit the search path loop there are a positive number of results given

* William Pitcock:

> A local proxy isn't going to be workable, because most people are
> going to just say "but Debian or Fedora doesn't require this," and
> then just go use a glibc distribution.

Some parts of the glibc behavior are clearly wrong and not even
internally consistent.  Rich is right that for correctness, you can
only proceed on the search path if you have received a successful
reply.  However, making changing in this area difficult, both due to
the current state of the glibc code, and existing deployments
depending on corner cases which are not well-understood.

I'm not entirely convinced that using different search path domains
for different address families is necessarily wrong.  Historically,
the NODATA/NXDOMAIN signaling has been really inconsistent anyway, and
I suspect it still is for some users.

What Cloudflare is doing appears to be some kind of protection against
NSEC-based zone enumeration, and that requires synthesizing NODATA
response.  They are unlikely to change that, and they won't be the
only ones doing this.

(going further upthread)

> Kubernetes imposes a default search path with the cluster domain last, so:
> 
>   - local.prod.svc.whatever
>   - prod.svc.whatever
>   - svc.whatever
>   - yourdomain.com

Do you have a source for that?

Considering that glibc had for a long time a hard limit at six
entries, I find that approach rather surprising.  This leaves just
three domains in the end user's context.  That's not going to be
sufficient for many users.  Anyway …

> The cloudflare issue is that they send SUCCESS code with 0 replies,
> which causes musl to error when it hits the yourdomain.com.

Is the long search path really the problem here?  Isn't it ndots:5?
It means that queries destined to the general DNS tree hit the
organizational tree first, where the search stops due to the NODATA
response.  So you never get the expected response from the public
tree.

Is this what's happening?

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.