From: Rich Felker <dalias@libc.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: musl@lists.openwall.com
Subject: Re: [musl] TCP support in the stub resolver
Date: Sat, 2 May 2020 11:44:29 -0400 [thread overview]
Message-ID: <20200502154429.GU21576@brightrain.aerifal.cx> (raw)
In-Reply-To: <87wo5umk3z.fsf@mid.deneb.enyo.de>
On Sat, May 02, 2020 at 05:28:48PM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > On Tue, Apr 21, 2020 at 07:26:08PM +0200, Florian Weimer wrote:
> >> * Rich Felker:
> >>
> >> >> I'm excited that Fedora plans to add a local caching resolver by
> >> >> default. It will help with a lot of these issues.
> >> >
> >> > That's great news! Will it be DNSSEC-enforcing by default?
> >>
> >> No. It is currently not even DNSSEC-aware, in the sense that you
> >> can't get any DNSSEC data from it. That's the sad part.
> >
> > That's really disappointing. Why? Both systemd-resolved and dnsmasq,
> > the two reasonable (well, reasonable for distros using systemd already
> > in the systemd-resolved case :) options for this, support DNSSEC fully
> > as I understand it. Is it just being turned off by default because of
> > risk of breaking things, or is some other implementation that lacks
> > DNSSEC being used?
>
> It's systemd-resolved. As far as I can tell, it does not provide
> DNSSEC data on the DNS client interface.
According to this it does:
https://wiki.archlinux.org/index.php/Systemd-resolved#DNSSEC
However it's subject to downgrade attacks unless you edit a config
file. Note that the example shows:
....
-- Data is authenticated: yes
so it looks like it's setting the AD bit like it should.
> > What I mean is that, if you use MSG_FASTOPEN on a kernel new enough to
> > understand it, I think it makes a normal TCP connection and sends the
> > data if fastopen is not enabled or not supported by the remote host,
> > but uses fastopen as long as it's enabled and supported. In this sense
> > it's automatic. But of course we'd have to fallback explicitly anyway
> > if it's not supported in order to maintain compatibility with older
> > kernels.
>
> I found this in the kernel sources. It's a bit worrying.
>
> /*
> * The following code block is to deal with middle box issues with TFO:
> * Middlebox firewall issues can potentially cause server's data being
> * blackholed after a successful 3WHS using TFO.
> * The proposed solution is to disable active TFO globally under the
> * following circumstances:
> * 1. client side TFO socket receives out of order FIN
> * 2. client side TFO socket receives out of order RST
> * 3. client side TFO socket has timed out three times consecutively during
> * or after handshake
> * We disable active side TFO globally for 1hr at first. Then if it
> * happens again, we disable it for 2h, then 4h, 8h, ...
> * And we reset the timeout back to 1hr when we see a successful active
> * TFO connection with data exchanges.
> */
>
> It's possible that the retransmit with TCP Fast Open happens as part
> of the regular TCP state machine. I can't find an explicit fallback
> handler.
I'm not sure what you're saying. Fastopen is only tried initially if
the kernel previously got a TCP header from the remote host indicating
support for it (and providing a cookie -- the kernel should have an
option to only accept zero-length cookies since anything else is a
tracking-vector/privacy-risk, but I'm not aware of such an option). If
not available for the particular host, or not at all (due to the above
global-disable heuristic or configuration), AIUI it just initially
does normal TCP and puts the payload in the send buffer.
> >> >> Above 4096 bytes, pretty much all recursive resolvers will send TC
> >> >> responses even if the client offers a larger buffer size. This means
> >> >> for correctness, you cannot do away with TCP support.
> >> >
> >> > In that case doing EDNS at all seems a lot less useful. Fragmentation
> >> > is always a possibility above min MTU (essentially same limit as
> >> > original UDP DNS) and the large responses are almost surely things you
> >> > do want to avoid forgery on, which leads me back around to thinking
> >> > that if you want them you really really need to be running a local
> >> > DNSSEC validating nameserver and then can just use-vc...
> >>
> >> Why use use-vc at all? Some software *will* break because it assumes
> >> that certain libc calls do not keep open some random file descriptor.
> >
> > Does use-vc do that (keep the fd open) in glibc? It doesn't seem to be
> > documented that way, just as forcing use of tcp, and my intent was not
> > to keep any fd open (since you need a separate fd per query anyway to
> > do them in parallel or in case the server closes the socket after one
> > reply).
>
> Sorry, I thought you wanted to keep the connection open to reduce
> latency.
No, the intent is that users only use this with localhost where the
result can be trusted and the latency is trivial and in theory can be
optimized out. (Kernel can in theory do the whole handshake with itself
during the connect syscall or just high-level emulate it if you didn't
care about seeing it on "tcpdump -i lo". Not sure if it does this but
I wouldn't be surprised.)
Rich
next prev parent reply other threads:[~2020-05-02 15:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fce05ab0ed102dec10e4163dd4ce5d8095d2ffd7.camel@web.de>
[not found] ` <20200412211807.GC41308@straasha.imrryr.org>
[not found] ` <d64b1b8801cc5350e9d27dd109dd2446e7d4b860.camel@web.de>
[not found] ` <20200413024746.GD41308@straasha.imrryr.org>
[not found] ` <b38668e94b2781003a14c6dca3d41edf33e347e2.camel@web.de>
[not found] ` <A2FE67B5-A9A9-4A0F-A59D-78FF2AB992B7@dukhovni.org>
[not found] ` <f79a9f0c369607fc38bef06fec521eaf3ab23d8c.camel@web.de>
[not found] ` <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org>
[not found] ` <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de>
[not found] ` <CECAFB36-DA1B-4EFB-ACD1-294E3B121B2E@dukhovni.org>
2020-04-13 18:35 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200413190412.GF41308@straasha.imrryr.org>
[not found] ` <20200413193505.GY11469@brightrain.aerifal.cx>
[not found] ` <20200413214138.GG41308@straasha.imrryr.org>
[not found] ` <20200414035303.GZ11469@brightrain.aerifal.cx>
[not found] ` <87v9m0hdjk.fsf@mid.deneb.enyo.de>
[not found] ` <20200415180149.GH11469@brightrain.aerifal.cx>
[not found] ` <87imi0haf7.fsf@mid.deneb.enyo.de>
[not found] ` <20200417034059.GF11469@brightrain.aerifal.cx>
[not found] ` <878siucvqd.fsf@mid.deneb.enyo.de>
2020-04-17 16:07 ` Rich Felker
2020-04-18 17:14 ` [musl] TCP support in the stub resolver (was: Re: Outgoing DANE not working) Florian Weimer
2020-04-19 0:03 ` Rich Felker
2020-04-19 8:12 ` [musl] TCP support in the stub resolver Florian Weimer
2020-04-20 1:24 ` Rich Felker
2020-04-20 6:26 ` Florian Weimer
2020-04-20 17:39 ` Rich Felker
2020-04-21 9:48 ` Florian Weimer
2020-04-21 15:02 ` Rich Felker
2020-04-21 17:26 ` Florian Weimer
2020-05-01 22:02 ` Rich Felker
2020-05-02 15:28 ` Florian Weimer
2020-05-02 15:44 ` Rich Felker [this message]
2020-05-02 22:52 ` Bartosz Brachaczek
2020-05-03 8:46 ` Florian Weimer
2020-05-03 16:51 ` Rich Felker
2020-05-03 17:19 ` Florian Weimer
2020-05-03 18:18 ` Florian Weimer
2020-05-03 19:09 ` Rich Felker
2020-05-03 19:34 ` Florian Weimer
2020-05-03 19:45 ` Rich Felker
[not found] ` <20200414061620.GI41308@straasha.imrryr.org>
[not found] ` <20200414160641.GC11469@brightrain.aerifal.cx>
[not found] ` <20200414215951.GJ41308@straasha.imrryr.org>
2020-05-19 1:37 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200519023814.GN68966@straasha.imrryr.org>
2020-05-19 5:44 ` Rich Felker
[not found] ` <20200519090610.GO68966@straasha.imrryr.org>
2020-05-19 14:00 ` Rich Felker
2020-05-19 14:23 ` Wietse Venema
2020-05-19 14:28 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200502154429.GU21576@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=fw@deneb.enyo.de \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).