Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <94e1e19cea2b4433a138688b16fb5dfc@etat.ge.ch>
Date: Thu, 16 Mar 2023 12:17:38 +0000
From: Briner Cédric (DI) <Cedric.Briner@...t.ge.ch>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: RE: resolv.conf and ndots:5

Hi Rich and Quentin,
 
> > Hi,
> I followed up as you were leaving IRC:

Sorry for this, my bad ! 

> > ge.ch.app-5580-capitastra-rec-01.svc.cluster.local
> > [pid 1228780] recvfrom(3, "\2567\205\200\0\1\0\0\0\1\0\1\2ge\2ch\4ceti\7etat-ge\2"..., 512, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.177.0.10")}, [16]) = 140
>                                   ^^^^^^^^
> 
> The low 4 bits of the underlined part of the response packet form
> RCODE=0, success. This is 10.177.0.10 saying the queried name does
> exist and just does not have an A record. (It might have AAAA records,
> MX records, whatever -- we can't know.)
> 
> Since normal recursive nameservers on the public internet correctly
> report RCODE=3 (NxDomain) for ge.ch.ceti.etat-ge.ch, something in your
> k8s cluster must be rewriting the answer to give an incorrect result.
> 
> glibc (like most traditional stub resolvers) handles this case
> sloppily and just treats NODATA and NxDomain the same, continuing
> search. This makes the results potentially unstable depending on
> whether the caller requested both v4 and v6 results or just one or the
> other, and semantically mismatches what's in DNS. musl handles this
> very intentionally with the aim of delivering only consistent results.


Thanks you for the detailed and precised response provided. That helped us a lot !

What I’ve learned is:
- that NODATA is considered as a valid answer, showing that this entry belong to the DNS ceti.etat-ge.ch
- that the dig command shows information on this respect in the section ->>HEADER<<-
  - it used to be status: NOERROR (saying that it belongs to this DNS, but have not an A record)
  - and it is now status:NXDOMAIN (saying that ge.ch.ceti.etat-ge.ch does not belong to this DNS)
- that musl has a different algorithm (stricter to the DNS rfc) than the other libc, which gives different results in our case

> Rich

With all my considerations.
Cedric (from Switzerland)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.