Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230705034111.GD4163@brightrain.aerifal.cx>
Date: Tue, 4 Jul 2023 23:41:12 -0400
From: Rich Felker <dalias@...c.org>
To: Hamish Forbes <hamish.forbes@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: DNS answer buffer is too small

On Wed, Jul 05, 2023 at 12:18:11PM +1200, Hamish Forbes wrote:
> On Wed, 5 Jul 2023 at 04:06, Rich Felker <dalias@...c.org> wrote:
> >
> > On Tue, Jul 04, 2023 at 04:19:16PM +1200, Hamish Forbes wrote:
> > > On Tue, 4 Jul 2023 at 15:29, Rich Felker <dalias@...c.org> wrote:
> > It's as safe as it was before, and it's always been the intended
> > behavior. Aside from the CNAME chain issue which wasn't even realized
> > at the time, use of TCP for getaddrinfo is not about getting more
> > answers than fit in the UDP response size. It's about handling the
> > case where the recursive server returns a truncated response with zero
> > answer records instead of the max number that fit. It turned out this
> > could also occur with a single CNAME where both the queried name and
> > the CNAME target take up nearly the full 255 length.
> >
> > As for why not to care about more results, getaddrinfo does not
> > provide a precise view of DNS space. It takes a hostname and gives you
> > a set of addresses you can use to attempt to connect to that host (or
> > bind if that name is your own, etc.). There's very little utility in
> > timing out more than 47 times then continuing to try more addresses
> > rather than just failing. "Our name resolves to 100 addresses and you
> > have to try all of them to find the one that works" is not a viable
> > configuration. (A lot of software does not even iterate and try
> > fallbacks at all, but only attempts to use the first one, typically
> > round-robin rotated by the nameserver.)
> >
> > Anyway, if there are objections to this behavior, it's a completely
> > separate issue from handling long CNAME chains.
> 
> Ah yeah, ok that makes sense.
> I wasn't thinking about it as "we just need any address".
> No objections to that from me!
> 
> > From my reading of your links, and
> >
> > https://groups.google.com/g/comp.protocols.dns.bind/c/rXici9NvIqI
> >
> > I don't think max-recursion-depth is related to CNAMEs. It's the depth
> > of delegation recursion. The max CNAME chain length is separate, and
> > in unbound terminology is the number of "restarts". Unbound's limit as
> > you've found is 11. BIND's is supposedly hard-coded at 16.
> >
> > Assuming the recursive server uses pointers properly, max size of a
> > length-N CNAME chain is (N+1)*(255+epsilon). This comes out to a
> > little over 4k for the BIND limit, and that's assuming max-length
> > names with no further redundancy. I would expect the real-world need
> > is considerably lower than this, and that the Unbound default limit on
> > chain length also suffices in practice (or it wouldn't be the default
> > for a widely used recursive server). So, for example, using a 4k
> > buffer (adding a little over 3k to what we have now, which already had
> > enough for one CNAME) should solve the problem entirely.
> >
> > Does this sound like an okay fix to you?
> 
> Sounds good to me!

Great. Writing up the commit message, I figured it's not much larger
to go with supporting the full 16, and easier to justify. Proposed
patch attached.

Rich

View attachment "0001-dns-stub-resolver-increase-buffer-size-to-handle-cha.patch" of type "text/plain" (1968 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.