Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 4 Nov 2023 11:41:40 -0400
From: Rich Felker <dalias@...c.org>
To: Ayush Agarwal <ayush@...shnix.com>
Cc: musl@...ts.openwall.com
Subject: Re: questions about musl DNS resolver

On Sat, Nov 04, 2023 at 12:12:58PM +0530, Ayush Agarwal wrote:
> Hi,
> 
> I was reading about how DNS works in Linux distributions and I noticed
> some differences in the way libc resolvers work in glibc and in musl.
> I hope it's okay if I ask a few (potentially stupid) questions?
> 
> 1. Why not offer a different man page on musl distributions for pages
> like resolv.conf(5) and resolver(3) considering how their
> implementation details and behavior are different from glibc? Is not
> offering them intentional or does it require someone to step up and
> write the documentation?

Ideally the linux-man provided ones would document which things are
glibcisms vs widely available elsewhere, but short of that, maybe it
would be nice for someone to maintain musl-specific versions for
distros to use.

> 2. Which options in the resolv.conf(5) man page are supported by musl?
> I know "search" and "nameserver" are supported but what about
> "options" like "ndots", "edns0", "use-vc", "trust-ad"?

search/domain, nameserver, and options: ndots, attempts, and timeout.

trust-ad would be a no-op; it's always on. glibc's having it optional
and off by default badly breaks anything trying to use dnssec/dane
right.

edns0 is not supported, intentionally because it would require munging
and unmunging queries behind the caller's back (or treating
libc-internal queries differently). use-vc is not supported because it
doesn't really play well with our parallel query model or stateless
design.

> 3. It seems that version 1.2.1 added support for DNSSEC queries but
> how do I confirm if DNSSEC queries are sent and received with musl? Do
> I need to use the "option edns0 trust-ad" directive in resolv.conf for
> it work? The usual suspects like drill and kdig seem to use their own
> resolver.

I'm not sure what you man by "DNSSEC queries". The normal application
usage for DNSSEC that's supported by musl is for the stub resolver to
make a normal query, with the AD bit set, to a trusted (ideally should
run on localhost so trust is not crossing network boundaries)
nameserver that will validate DNSSEC, ServFail on anything
invalid/spoofed, and report via the AD bit of the answer packet
whether the result is DNSSEC-protected.

As of musl 1.2.1, the AD bit of the query is always set when you use
the res_* API. All you have to do is interpret it in the answer.

If you want to actually do DNSSEC validation yourself, or just see the
RRSIG, etc. records, you need to construct a suitable query in EDNS0
form with the DO bit set. It can be sent (and the answer received) via
the res_send function. Strictly speaking this does not depend on the
musl version, but you'll need 1.2.4+ to get answers larger than 512
bytes (which these answers usually are).

The resolv.conf edns0 option has nothing to do with this. It's about
whether the stub resolver's construction of queries will make them in
EDNS0 form, not whether res_send will accept EDNS0-form packets from
the caller.

> 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback
> intended to work automatically when the size of a DNS query is large
> or does it need any configuration?

Yes, it works automatically. Originally I intended to add capability
to skip fallback if there's a non-empty answer list in the truncated
packet, which might be an option at some point in the future, but
right now it always happens, and by default it will continute to
automatically happen.

So, TL;DR: no configuration is needed for any of the stuff you want.
It just all works, or at least is intended to. If you run into
problems, please reach out here for help.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.