Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 3 May 2020 15:45:50 -0400
From: Rich Felker <dalias@...c.org>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

On Sun, May 03, 2020 at 09:34:31PM +0200, Florian Weimer wrote:
> * Rich Felker:
> 
> >> Can't you do DNS with really large packet sizes on localhost?
> >> 
> >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
> >> 
> >> That's the one place where TCP does not make much sense, except to get
> >> the last 30 or so bytes in packet size.
> >
> > No, the protocol simply does not support it. Normal (non-EDNS) DNS
> > protocol forbids UDP packets over 512 bytes. A nameserver that replied
> > with them rather than with TC would be non-conforming and would break
> > conforming clients that expect to see the TC rather than a short read.
> > With EDNS0 longer packets can be sent but I think there's still a
> > limit of 4096 bytes or something. I don't understand this entirely so
> > I may be wrong and it may be possible to just support EDNS0 and say
> > "run a server with 64k EDNS0 limit on localhost if you want to
> > guarantee non-truncated replies".
> 
> On localhost, one could just disregard the protocol limit, perhaps
> with special configuration of the recursive resolver.  (The stub
> resolver would not need configuration, it just has to accept the
> packets if they arrive.)

No you can't because it's a permanent public interface contract. You
may have foreign-libc binaries or static linked binaries from before
that policy change or from a party who disagrees (rightly so) with
that policy change.

> The other option would be to use a UNIX Domain datagram socket instead
> of UDP.  Since it is a new transport protocol, it's possible to make
> up different rules about packet sizes.

Putting unix domain nameservers in resolv.conf directly would likewise
be incompatible with the above. You could do it in some way that they
don't see/care about, but then it's a matter of inventing new policy
mechanisms which musl explicitly seeks to avoid. (E.g. that's why we
used nscd protocol for alternate passwd/group backends rather than
NIH'ing something.)

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.