From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/12667
Path: news.gmane.org!.POSTED!not-for-mail
From: Eric Pruitt <eric.pruitt@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: [PATCH v5] resolver: mitigate bad interactions concering
 inconsistent DNS search domains with ndots usage
Date: Sat, 31 Mar 2018 10:22:32 -0700
Message-ID: <20180331172232.5i4vxm27pbkeq3qq@sinister.lan.codevat.com>
References: <20180331094004.4153-1-nenolod@dereferenced.org>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: blaine.gmane.org 1522516848 30035 195.159.176.226 (31 Mar 2018 17:20:48 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sat, 31 Mar 2018 17:20:48 +0000 (UTC)
User-Agent: NeoMutt/20170113 (1.7.2)
To: musl@lists.openwall.com
Original-X-From: musl-return-12681-gllmg-musl=m.gmane.org@lists.openwall.com Sat Mar 31 19:20:44 2018
Return-path: <musl-return-12681-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.84_2)
	(envelope-from <musl-return-12681-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1f2KBH-0007iG-7f
	for gllmg-musl@m.gmane.org; Sat, 31 Mar 2018 19:20:43 +0200
Original-Received: (qmail 15437 invoked by uid 550); 31 Mar 2018 17:22:47 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 15401 invoked from network); 31 Mar 2018 17:22:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:pgp-key:user-agent;
        bh=nEcJgO3G72UdE67hsSzFfnZ1wrVWeulqpiwNZE3eZXc=;
        b=TQHHuScootz1sumyqVKhbOMzzxdSK6HCmwHKa0cAkCSvKNXSIc7uL6VB0GeqbVeBCT
         R1oBKW9njY2v91ahZBAKNYa+WMA4p21c1HSjP2ioTp74i8ELnbmQ0w8lzhoiwLT/Kutp
         xiVECLWo9+ABmEOmj72LBTG5PDToR9rYhsULZ+FtpL/xjFfnubg/6A9srP/XT6h2Esnv
         JKtZNUHaWUxoi+qrFl8fVyrVhm/+E+Hb9FWjH3dXEhqTfKUp7GuRi62kg13GADIw4lKe
         M3Gqm1FrkN7SaLDkuZUKKMXwTnUIQbexROmjD5gKNBd6XpB2k0znZQ2D+oKYvRHhFhpE
         v8Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:pgp-key:user-agent;
        bh=nEcJgO3G72UdE67hsSzFfnZ1wrVWeulqpiwNZE3eZXc=;
        b=a7jr9k2rpFAhdPi5rUm9ZgkAoSFYaHcp+Sjj0/VhquR/CucixSQ6Oc1XArkv5xr2gI
         3tqC03vlLjicTEdwRw6vkRymV8hAZ/pcY4ukR06BnoZAvjJ4tFQvPDvcNyWIOCXMcBz2
         v8Q5sIwIUqI0iH4z+dBtHHv0bESttmOqvYSAZ1nqz/0crwu/blmY4agupAR9q8y0qMF9
         CDh8KdwAq9qBTh8gVNWzwEMOxM+suPQb2rYZUGlMhr0UF9DM85BdO058YBrFDSQ1y72w
         lR+t2P44mACYWTB2XW7O4zSM5rQ74grb98Fwjqv/rT+a+NQ8dKTcDI9dmMf6afLaGG+F
         Epyw==
X-Gm-Message-State: AElRT7EMksyeBaDdtwhCX6R9pVE6gO4HZSGLtfoLlBxamqRlppkeBrIW
	T/z0Fw99isxrklQPlvfMHMc3DA==
X-Google-Smtp-Source: AIpwx4+9VX8H4c4U2SkWRTEyGgRS8SyQm/PQjM9fwQEq5XnVeUN8pIU1nv6FfB/wNOkPGdVj+7W5Nw==
X-Received: by 10.99.114.1 with SMTP id n1mr2305938pgc.107.1522516954115;
        Sat, 31 Mar 2018 10:22:34 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <20180331094004.4153-1-nenolod@dereferenced.org>
PGP-Key: https://www.codevat.com/pgp.asc#F8601B5D2511B4C3535232488DDDE2E6053692AB
Xref: news.gmane.org gmane.linux.lib.musl.general:12667
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/12667>

On Sat, Mar 31, 2018 at 09:40:04AM +0000, William Pitcock wrote:
> In certain cases where the Kubernetes guest is configured with a clusterwide domain that is
> hosted by a certain large CDN provider (*ahem* Cloudflare), the resolver may process
> erroneous replies sent from that CDN provider that have an empty A/AAAA record set.
> [...]
> -	if ((abuf[0][3] & 15) == 0) return EAI_NONAME;
> +	if ((abuf[0][3] & 15) == 0) {
> +		/* A certain large CDN provider's DNS service erroneously responds to queries with
> +		 * a NOERROR(0) response code, while also returning an empty record set. Accordingly,
> +		 * check for this and handle it as we would an NXDOMAIN(3) if the record set is empty
> +		 * for both A and AAAA records. */
> +		if (nq == 2 && (ctx.recordcnt[0] + ctx.recordcnt[1]) == 0) return 0;
> +		else return EAI_NONAME;

If you're going to call out Cloudflare in the commit message, why not do
it in the code comment, too? If someone runs into this later without
having read this mailing list post and they're using a release copy of
musl (something without revision history like a tar ball), poorly
obscuring Cloudflare's name just adds unnecessary friction to debugging
the problem.

Eric