Date: Sat, 4 Nov 2023 11:49:58 +0100 From: Markus Wichmann <nullplan@....net> To: musl@...ts.openwall.com Subject: Re: questions about musl DNS resolver Am Sat, Nov 04, 2023 at 12:12:58PM +0530 schrieb Ayush Agarwal: > Hi, > > I was reading about how DNS works in Linux distributions and I noticed > some differences in the way libc resolvers work in glibc and in musl. > I hope it's okay if I ask a few (potentially stupid) questions? > > 1. Why not offer a different man page on musl distributions for pages > like resolv.conf(5) and resolver(3) considering how their > implementation details and behavior are different from glibc? Is not > offering them intentional or does it require someone to step up and > write the documentation? > Well, for one, because musl doesn't offer /any/ manpages. For two, because it could change. Rich may decide to add support for more options if someone makes a convincing-enough case. What you have to understand is that musl only contains a stub resolver. Its job is to send a request to a bunch of recursive resolvers and collate their answers. And those resolvers are trusted implicitly. That is why the only servers you should have in your resolv.conf are servers you trust, and you trust the path to them as well. If you have a laptop and travel a lot and want to use dodgy airport Wifi, you may want to run your own DNS resolver and use 127.0.0.1 in resolv.conf. See, if you put 220.127.116.11 in there, then Google is happy about that, but so is the Russian hacker between you and Google. > 2. Which options in the resolv.conf(5) man page are supported by musl? > I know "search" and "nameserver" are supported but what about > "options" like "ndots", "edns0", "use-vc", "trust-ad"? > The code is the documentation. At the moment I see an implementation for the options ndots, attempts, and timeout, as well as nameserver and domain or search (where the last two are equivalent). Note that musl only supports up to three nameservers, because they are only for increased reliability of the system. All nameservers are supposed to implement the same view of the namespace. If you want something else, like a union of different namespaces, you must use or implement a DNS proxy like dnsmasq. > 3. It seems that version 1.2.1 added support for DNSSEC queries but > how do I confirm if DNSSEC queries are sent and received with musl? Do > I need to use the "option edns0 trust-ad" directive in resolv.conf for > it work? The usual suspects like drill and kdig seem to use their own > resolver. > I do not see musl itself use any kind of DNSSEC query. Not sure where you got this. I do remember that some time ago, Rich converted his bespoke internal DNS API into the de-facto standard libresolv interface. And you can use that to make DNSSEC queries if you so choose. But musl itself doesn't do any DNSSEC. > 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback > intended to work automatically when the size of a DNS query is large > or does it need any configuration? > That is indeed automatic, and triggered by the TC bit in the response. Ciao, Markus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.