Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 3 May 2020 15:45:50 -0400
From: Rich Felker <dalias@...c.org>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

On Sun, May 03, 2020 at 09:34:31PM +0200, Florian Weimer wrote:
> * Rich Felker:
> 
> >> Can't you do DNS with really large packet sizes on localhost?
> >> 
> >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
> >> 
> >> That's the one place where TCP does not make much sense, except to get
> >> the last 30 or so bytes in packet size.
> >
> > No, the protocol simply does not support it. Normal (non-EDNS) DNS
> > protocol forbids UDP packets over 512 bytes. A nameserver that replied
> > with them rather than with TC would be non-conforming and would break
> > conforming clients that expect to see the TC rather than a short read.
> > With EDNS0 longer packets can be sent but I think there's still a
> > limit of 4096 bytes or something. I don't understand this entirely so
> > I may be wrong and it may be possible to just support EDNS0 and say
> > "run a server with 64k EDNS0 limit on localhost if you want to
> > guarantee non-truncated replies".
> 
> On localhost, one could just disregard the protocol limit, perhaps
> with special configuration of the recursive resolver.  (The stub
> resolver would not need configuration, it just has to accept the
> packets if they arrive.)

No you can't because it's a permanent public interface contract. You
may have foreign-libc binaries or static linked binaries from before
that policy change or from a party who disagrees (rightly so) with
that policy change.

> The other option would be to use a UNIX Domain datagram socket instead
> of UDP.  Since it is a new transport protocol, it's possible to make
> up different rules about packet sizes.

Putting unix domain nameservers in resolv.conf directly would likewise
be incompatible with the above. You could do it in some way that they
don't see/care about, but then it's a matter of inventing new policy
mechanisms which musl explicitly seeks to avoid. (E.g. that's why we
used nscd protocol for alternate passwd/group backends rather than
NIH'ing something.)

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.