Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 24 Jan 2023 03:54:19 -0500
From: Rich Felker <dalias@...c.org>
To: Barry Bond <barrybo@...rosoft.com>
Cc: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Re: Re: [EXTERNAL] Re: Behavior change in
 getaddrbyname() with AF_UNSPEC

On Mon, Jan 23, 2023 at 01:34:10AM +0000, Barry Bond wrote:
> I now have more data. The DNS queries are being multcast to a
> customer's mDNS server implementation. I don't have source code
> access to it.

In general, pointing the stub resolver at mDNS is not expected to
work. It might work under some conditions if it's pointed *only* at
mDNS, but the common thing folks try to do like this is pointing
resolv.conf at both a real recursive resolver and mDNS hoping this
will yield a unioned namespace, which is not how it works. Doing that
really requires a unioning proxy resolver (which can also provide
functionality like DNSSEC validation etc if desired).

> Its behavior is to correctly respond to "A" requests, but drop
> "AAAA" requests completely.
> 
> So ​__res_msend_rc() is sending two request messages out ("A" and
> "AAAA"), and getting only 1 response back ("A"). The "AAAA" request
> is resent, then times out. That leaves alens[0]==54 and alens[1]==0.
> That leads to the EAI_AGAIN return in name_from_dns().
> 
> RFC 8906 (https://datatracker.ietf.org/doc/rfc8906/) seems relevant:
> section 3.1.2 says that it is expected the DNS servers return a
> response as if it has no data, for unknown rr types. But that's a
> best practice and not a hard requirement. MUSL before the relevant
> change was OK with a non-reply to the AAAA request, but now requires
> the response.

There are lots of things that are perfectly valid for a nameserver to
do, but which do not answer the question asked by the stub resolver.
And if the question is not answered, it cannot draw any conclusion for
what to give the application.

Timing out then returning success anyway after the timeout was a bug.
It only "worked" for this setup before insomuch as someone was happy
with waiting 5 seconds for each query to "succeed". I'm not sure what
the right waya to do what they want is because I'm not sure exactly
what they're tryng to do, but the old behavior isn't it.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.