From: Rich Felker <dalias@libc.org>
To: postfix-users@postfix.org
Cc: musl@lists.openwall.com
Subject: [musl] Re: Outgoing DANE not working
Date: Mon, 18 May 2020 21:37:36 -0400 [thread overview]
Message-ID: <20200519013734.GL21576@brightrain.aerifal.cx> (raw)
In-Reply-To: <20200414215951.GJ41308@straasha.imrryr.org>
On Tue, Apr 14, 2020 at 05:59:51PM -0400, Viktor Dukhovni wrote:
> > > That RFC was published in 2013. That's long enough ago.
> >
> > We support environments that haven't been touched since 2009 or so,
> > and to a lesser/minimal-support extent ones that haven't been touched
> > since around 2004. Your idea of environments Postfix might be running
> > on musl in is very different from the concept of environments that
> > arbitrary applications binaries linked to musl might be running in.
>
> Nevertheless, the AD bit is on by default in dig and similar tools, with
> no reports of any issues in a long time. Do you see dig fail where MUSL
> libc lookups succeed? I'm asking around the DNS community for any
> evidence of barriers to AD=1, so far nobody knows of any. I'll try to
> find more compelling evidence, but basically tolerating AD=1 (either
> ignoring or acting on it per the 2013 RFC) is *required* resolver
> behaviour.
>
> > So if there's any chance of this breaking there almost certainly needs
> > to be a way to turn it off that works even on static binaries.
>
> Whether and where to place such controls is your call. If novel
> /etc/resolv.conf options are not a problem for statically linked
> binaries using something other than musl-libc, then you could
> have:
>
> options noad ...
>
> but if that is incompatible with other stub resolver libraries on the
> same machine, you may need a private musl-specific configuration file.
>
> My money is on this being unnecessary. I'll let know what I find
> from dns-operations, and if possible perhaps a RIPE ATLAS probe,
> assuming they support enabling AD=1.
>
> > > In that case, set the AD bit unconditionally, or provide a documented
> > > mechanism to do so via a suitable configuration file.
> >
> > Putting it in resolv.conf on an options line is probably the best. The
> > main remaining question is just which default to use, and where to
> > apply it (at res_mkquery or at res_send).
>
> Your call.
>
> > > Find me a resolver that fails when the AD bit is set. Stub resolvers
> > > that always set it have been around for some time now.
> >
> > Do you know if the usual Windows, Android, iOS, etc. ones always set
> > it? If so it's almost surely safe to do so and this might not even
> > need to be an option (which would really be my favorite coarse of
> > action -- making it unconditional so there's no new configuration to
> > invent).
>
> Mostly dig, unbound-host, ... Most of the platform C libraries support
> DO=1, which obviates the need for AD=1, so they don't do that, but it is
> nevertheless safe. AD=1 is much cheaper than DO=1, because you get back
> just the AD bit without the excess RRSIG baggage, which is not needed
> when you're not doing your own validation.
I have a proposed solution expected to go upstream in this release
cycle: res_* set AD bit unconditionally in outgoing queries, but the
[backend for the] netdb.h functions clears it after calling
__res_mkquery.
This ensures that even if there are some broken nameservers/networks
still that can't handle AD in queries, the standard, widely-used,
high-level lookup APIs will still work, and at worst res_query breaks.
Note that the netdb.h functions have no use for the AD bit and no way
to pass it back to the caller, so there is no reduction in
functionality by having them clear it.
Rich
next prev parent reply other threads:[~2020-05-19 1:37 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fce05ab0ed102dec10e4163dd4ce5d8095d2ffd7.camel@web.de>
[not found] ` <20200412211807.GC41308@straasha.imrryr.org>
[not found] ` <d64b1b8801cc5350e9d27dd109dd2446e7d4b860.camel@web.de>
[not found] ` <20200413024746.GD41308@straasha.imrryr.org>
[not found] ` <b38668e94b2781003a14c6dca3d41edf33e347e2.camel@web.de>
[not found] ` <A2FE67B5-A9A9-4A0F-A59D-78FF2AB992B7@dukhovni.org>
[not found] ` <f79a9f0c369607fc38bef06fec521eaf3ab23d8c.camel@web.de>
[not found] ` <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org>
[not found] ` <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de>
[not found] ` <CECAFB36-DA1B-4EFB-ACD1-294E3B121B2E@dukhovni.org>
2020-04-13 18:35 ` Rich Felker
[not found] ` <20200413190412.GF41308@straasha.imrryr.org>
[not found] ` <20200413193505.GY11469@brightrain.aerifal.cx>
[not found] ` <20200413214138.GG41308@straasha.imrryr.org>
[not found] ` <20200414035303.GZ11469@brightrain.aerifal.cx>
[not found] ` <87v9m0hdjk.fsf@mid.deneb.enyo.de>
[not found] ` <20200415180149.GH11469@brightrain.aerifal.cx>
[not found] ` <87imi0haf7.fsf@mid.deneb.enyo.de>
[not found] ` <20200417034059.GF11469@brightrain.aerifal.cx>
[not found] ` <878siucvqd.fsf@mid.deneb.enyo.de>
2020-04-17 16:07 ` Rich Felker
2020-04-18 17:14 ` [musl] TCP support in the stub resolver (was: Re: Outgoing DANE not working) Florian Weimer
2020-04-19 0:03 ` Rich Felker
2020-04-19 8:12 ` [musl] TCP support in the stub resolver Florian Weimer
2020-04-20 1:24 ` Rich Felker
2020-04-20 6:26 ` Florian Weimer
2020-04-20 17:39 ` Rich Felker
2020-04-21 9:48 ` Florian Weimer
2020-04-21 15:02 ` Rich Felker
2020-04-21 17:26 ` Florian Weimer
2020-05-01 22:02 ` Rich Felker
2020-05-02 15:28 ` Florian Weimer
2020-05-02 15:44 ` Rich Felker
2020-05-02 22:52 ` Bartosz Brachaczek
2020-05-03 8:46 ` Florian Weimer
2020-05-03 16:51 ` Rich Felker
2020-05-03 17:19 ` Florian Weimer
2020-05-03 18:18 ` Florian Weimer
2020-05-03 19:09 ` Rich Felker
2020-05-03 19:34 ` Florian Weimer
2020-05-03 19:45 ` Rich Felker
[not found] ` <20200414061620.GI41308@straasha.imrryr.org>
[not found] ` <20200414160641.GC11469@brightrain.aerifal.cx>
[not found] ` <20200414215951.GJ41308@straasha.imrryr.org>
2020-05-19 1:37 ` Rich Felker [this message]
[not found] ` <20200519023814.GN68966@straasha.imrryr.org>
2020-05-19 5:44 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200519090610.GO68966@straasha.imrryr.org>
2020-05-19 14:00 ` Rich Felker
2020-05-19 14:23 ` Wietse Venema
2020-05-19 14:28 ` Rich Felker
[not found] <20200519154542.GC1079@brightrain.aerifal.cx>
[not found] ` <49RN803wcfzJrNv@spike.porcupine.org>
2020-05-19 20:08 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519013734.GL21576@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
--cc=postfix-users@postfix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).