Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 Jan 2023 03:54:19 -0500
From: Rich Felker <dalias@...c.org>
To: Barry Bond <barrybo@...rosoft.com>
Cc: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Re: Re: [EXTERNAL] Re: Behavior change in
 getaddrbyname() with AF_UNSPEC

On Mon, Jan 23, 2023 at 01:34:10AM +0000, Barry Bond wrote:
> I now have more data. The DNS queries are being multcast to a
> customer's mDNS server implementation. I don't have source code
> access to it.

In general, pointing the stub resolver at mDNS is not expected to
work. It might work under some conditions if it's pointed *only* at
mDNS, but the common thing folks try to do like this is pointing
resolv.conf at both a real recursive resolver and mDNS hoping this
will yield a unioned namespace, which is not how it works. Doing that
really requires a unioning proxy resolver (which can also provide
functionality like DNSSEC validation etc if desired).

> Its behavior is to correctly respond to "A" requests, but drop
> "AAAA" requests completely.
> 
> So ‚Äč__res_msend_rc() is sending two request messages out ("A" and
> "AAAA"), and getting only 1 response back ("A"). The "AAAA" request
> is resent, then times out. That leaves alens[0]==54 and alens[1]==0.
> That leads to the EAI_AGAIN return in name_from_dns().
> 
> RFC 8906 (https://datatracker.ietf.org/doc/rfc8906/) seems relevant:
> section 3.1.2 says that it is expected the DNS servers return a
> response as if it has no data, for unknown rr types. But that's a
> best practice and not a hard requirement. MUSL before the relevant
> change was OK with a non-reply to the AAAA request, but now requires
> the response.

There are lots of things that are perfectly valid for a nameserver to
do, but which do not answer the question asked by the stub resolver.
And if the question is not answered, it cannot draw any conclusion for
what to give the application.

Timing out then returning success anyway after the timeout was a bug.
It only "worked" for this setup before insomuch as someone was happy
with waiting 5 seconds for each query to "succeed". I'm not sure what
the right waya to do what they want is because I'm not sure exactly
what they're tryng to do, but the old behavior isn't it.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.