Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAC1FGz1iHNTrNsehFMc-BkkbOwC2tDV5xhhetKHzC7CdqOTnHg@mail.gmail.com>
Date: Wed, 31 Aug 2022 10:33:05 -0700
From: Dalton Hubble <dghubble@...il.com>
To: musl@...ts.openwall.com
Subject: musl resolver handling of "search ." in /etc/resolv.conf

Hey folks,

I wanted to flag a possible issue with musl handling of DNS "search ." in
/etc/resolv.conf.The easiest way I have to repro and consume musl is
starting an alpine or busybox musl container image.

podman run -it docker.io/alpine:3.16.2 /bin/ash

Edit /etc/resolv.conf to the following (not the "." at the end of search):

```
search default.svc.cluster.local .
nameserver 8.8.8.8
options ndots:5
```

```
wget www.google.com
wget: bad address 'www.google.com'
```

Remove the "." from search and wget will work fine again.

https://github.com/coreos/fedora-coreos-tracker/issues/1287 has some great
details showing DNS packet capture and a malformed packet.

Broader context is that systemd and recently Kubernetes start adding
"search ." to resolv.conf in certain scenarios, which seems to break
musl-based resolvers.
- https://github.com/systemd/systemd/pull/17201
- https://github.com/kubernetes/kubernetes/pull/109441
- https://github.com/kubernetes/kubernetes/issues/112135






-- 
Dalton Hubble
dghubble@...il.com

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.