From: Rich Felker <dalias@libc.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Christian <list-christian@web.de>, musl@lists.openwall.com
Subject: Re: [musl] Resolver routines, Postfix DNSSEC troubles - how to check for incompatibilities?
Date: Tue, 14 Apr 2020 11:53:24 -0400 [thread overview]
Message-ID: <20200414155324.GA11469@brightrain.aerifal.cx> (raw)
In-Reply-To: <87blnuo0ea.fsf@mid.deneb.enyo.de>
On Tue, Apr 14, 2020 at 11:57:17AM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > On Mon, Apr 13, 2020 at 05:52:34PM +0200, Florian Weimer wrote:
> >> * Christian:
> >>
> >> > So Viktor did some digging:
> >> >
> >> > "The comment on line 25:
> >> >
> >> > https://github.com/runtimejs/musl-libc/blob/master/include/resolv.h#L25
> >> >
> >> > is not encouraging. It suggests that _res is unused. If so, Postfix
> >> > DNS does not work correctly with this C library. And not just for DANE, since Postfix is also unable to to control RES_DEFNAMES and RES_DNSRCH.
> >>
> >> Are these changes to the RES_DEFNAMES and RES_DNSRCH flags really
> >> necessary? Why doesn't Postfix use res_query (or perhaps res_send) as
> >> appropriate?
> >
> > But to actually answer these questions, modifying the flags is
> > presumably because traditional req_query builds an rfc1035 query or
> > edns query based on these flags derived from from resolv.conf, and
> > Postfix either assumes or wants to support the case where resolv.conf
> > is not already configured for edns, perhaps because it was generated
> > by a dhcp client.
>
> In my comment above, I specifically meant RES_DEFNAMES and RES_DNSRCH.
>
> RES_USE_EDNS0 seems different; I would expect applications to use
> their own DNS libraries if they need to access DNSSEC data and
> non-address record types (where there is no benefit gained form
> integrating with /etc/hosts or other data sources).
Oh. For those it seems to be to suppress search domains, so that when
looking up the MX or TLSA for example.com it doesn't get records for
example.com.searchdomain.
I don't know why they poke at flags in _res rather than just appending
a . to the name, and/or comparting the name in the result to ensure
that it matches.
Also res_query is *documented* not to use search domains. You have to
use res_search if you want them. So the flags would only affect A/AAAA
lookups via getaddrinfo etc. anyway. Maybe that's the case they care
about, but appending . would still solve it, and it's not a DANE
integrity issue anyway since if you contacted the wrong server IP the
certificate/key would not match.
Rich
next prev parent reply other threads:[~2020-04-14 15:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-13 9:25 Christian
2020-04-13 11:20 ` Christian
2020-04-13 15:29 ` Rich Felker
2020-04-13 15:52 ` Florian Weimer
2020-04-13 16:07 ` Rich Felker
2020-04-13 16:38 ` Rich Felker
2020-04-13 17:51 ` Christian
2020-04-13 18:04 ` Rich Felker
2020-04-14 9:57 ` Florian Weimer
2020-04-14 15:53 ` Rich Felker [this message]
2020-04-14 16:54 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200414155324.GA11469@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=fw@deneb.enyo.de \
--cc=list-christian@web.de \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).