Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <871roqm2hz.fsf@mid.deneb.enyo.de>
Date: Tue, 14 Apr 2020 18:54:48 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com,  Christian <list-christian@....de>
Subject: Re: Resolver routines, Postfix DNSSEC troubles - how to check for incompatibilities?

* Rich Felker:

> On Tue, Apr 14, 2020 at 11:57:17AM +0200, Florian Weimer wrote:
>> * Rich Felker:
>> 
>> > On Mon, Apr 13, 2020 at 05:52:34PM +0200, Florian Weimer wrote:
>> >> * Christian:
>> >> 
>> >> > So Viktor did some digging:
>> >> >
>> >> > "The comment on line 25:
>> >> >
>> >> > https://github.com/runtimejs/musl-libc/blob/master/include/resolv.h#L25
>> >> >
>> >> > is not encouraging.  It suggests that _res is unused. If so, Postfix
>> >> > DNS does not work correctly with this C library.  And not just for DANE, since Postfix is also unable to to control RES_DEFNAMES and RES_DNSRCH.
>> >> 
>> >> Are these changes to the RES_DEFNAMES and RES_DNSRCH flags really
>> >> necessary? Why doesn't Postfix use res_query (or perhaps res_send) as
>> >> appropriate?
>> >
>> > But to actually answer these questions, modifying the flags is
>> > presumably because traditional req_query builds an rfc1035 query or
>> > edns query based on these flags derived from from resolv.conf, and
>> > Postfix either assumes or wants to support the case where resolv.conf
>> > is not already configured for edns, perhaps because it was generated
>> > by a dhcp client.
>> 
>> In my comment above, I specifically meant RES_DEFNAMES and RES_DNSRCH.
>> 
>> RES_USE_EDNS0 seems different; I would expect applications to use
>> their own DNS libraries if they need to access DNSSEC data and
>> non-address record types (where there is no benefit gained form
>> integrating with /etc/hosts or other data sources).
>
> Oh. For those it seems to be to suppress search domains, so that when
> looking up the MX or TLSA for example.com it doesn't get records for
> example.com.searchdomain.
>
> I don't know why they poke at flags in _res rather than just appending
> a . to the name, and/or comparting the name in the result to ensure
> that it matches.

It doesn't work when the data doesn't come out of DNS.

> Also res_query is *documented* not to use search domains.

Exactly, that's why I don't understand why changing the flags is
needed.  res_search for searching, res_query for not searching.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.