From: Rich Felker <dalias@libc.org>
To: postfix-users@postfix.org
Cc: musl@lists.openwall.com
Subject: [musl] Re: Outgoing DANE not working
Date: Tue, 19 May 2020 01:44:30 -0400 [thread overview]
Message-ID: <20200519054427.GN21576@brightrain.aerifal.cx> (raw)
In-Reply-To: <20200519023814.GN68966@straasha.imrryr.org>
On Mon, May 18, 2020 at 10:38:14PM -0400, Viktor Dukhovni wrote:
> On Mon, May 18, 2020 at 09:37:36PM -0400, Rich Felker wrote:
>
> > > Mostly dig, unbound-host, ... Most of the platform C libraries support
> > > DO=1, which obviates the need for AD=1, so they don't do that, but it is
> > > nevertheless safe. AD=1 is much cheaper than DO=1, because you get back
> > > just the AD bit without the excess RRSIG baggage, which is not needed
> > > when you're not doing your own validation.
> >
> > I have a proposed solution expected to go upstream in this release
> > cycle: res_* set AD bit unconditionally in outgoing queries, but the
> > [backend for the] netdb.h functions clears it after calling
> > __res_mkquery.
> >
> > This ensures that even if there are some broken nameservers/networks
> > still that can't handle AD in queries, the standard, widely-used,
> > high-level lookup APIs will still work, and at worst res_query breaks.
> >
> > Note that the netdb.h functions have no use for the AD bit and no way
> > to pass it back to the caller, so there is no reduction in
> > functionality by having them clear it.
>
> This sounds reasonable. Will there be a way for Postfix to detect the
> new library version, so that we don't disable DANE for musl-libc
> versions that do set the AD bit?
I'm really disappointed with the detection, which made things much
worse by producing postfix builds that won't do DANE even after
libc.so is upgraded. It should have just worked after upgrade. The
test is also somewhat broken in that it gets the wrong result if
/bin/sh is static-linked, or if you have postfix built against musl on
a system where /bin/sh is glibc-based, etc. and I don't even know what
happens if you're cross-compiling or if that's even supported at all.
There's not really a "test for versions that do set" by version; I
would expect once the patch is upstream and tested, distros like
Alpine would just apply it to their existing musl package rather than
waiting to upgrade to get it. The only real test is a runtime one,
calling res_mkquery and observing that it's set.
BTW I saw in git master you added an additional musl test of the same
form for the res_n* APIs. A simpler way to detect them is just with
__RES macro in resolv.h, which indicates the supported API version.
AIUI it's provided by all known implementations, though I haven't
actually checked that.
Rich
next prev parent reply other threads:[~2020-05-19 5:44 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fce05ab0ed102dec10e4163dd4ce5d8095d2ffd7.camel@web.de>
[not found] ` <20200412211807.GC41308@straasha.imrryr.org>
[not found] ` <d64b1b8801cc5350e9d27dd109dd2446e7d4b860.camel@web.de>
[not found] ` <20200413024746.GD41308@straasha.imrryr.org>
[not found] ` <b38668e94b2781003a14c6dca3d41edf33e347e2.camel@web.de>
[not found] ` <A2FE67B5-A9A9-4A0F-A59D-78FF2AB992B7@dukhovni.org>
[not found] ` <f79a9f0c369607fc38bef06fec521eaf3ab23d8c.camel@web.de>
[not found] ` <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org>
[not found] ` <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de>
[not found] ` <CECAFB36-DA1B-4EFB-ACD1-294E3B121B2E@dukhovni.org>
2020-04-13 18:35 ` Rich Felker
[not found] ` <20200413190412.GF41308@straasha.imrryr.org>
[not found] ` <20200413193505.GY11469@brightrain.aerifal.cx>
[not found] ` <20200413214138.GG41308@straasha.imrryr.org>
[not found] ` <20200414035303.GZ11469@brightrain.aerifal.cx>
[not found] ` <87v9m0hdjk.fsf@mid.deneb.enyo.de>
[not found] ` <20200415180149.GH11469@brightrain.aerifal.cx>
[not found] ` <87imi0haf7.fsf@mid.deneb.enyo.de>
[not found] ` <20200417034059.GF11469@brightrain.aerifal.cx>
[not found] ` <878siucvqd.fsf@mid.deneb.enyo.de>
2020-04-17 16:07 ` Rich Felker
2020-04-18 17:14 ` [musl] TCP support in the stub resolver (was: Re: Outgoing DANE not working) Florian Weimer
2020-04-19 0:03 ` Rich Felker
2020-04-19 8:12 ` [musl] TCP support in the stub resolver Florian Weimer
2020-04-20 1:24 ` Rich Felker
2020-04-20 6:26 ` Florian Weimer
2020-04-20 17:39 ` Rich Felker
2020-04-21 9:48 ` Florian Weimer
2020-04-21 15:02 ` Rich Felker
2020-04-21 17:26 ` Florian Weimer
2020-05-01 22:02 ` Rich Felker
2020-05-02 15:28 ` Florian Weimer
2020-05-02 15:44 ` Rich Felker
2020-05-02 22:52 ` Bartosz Brachaczek
2020-05-03 8:46 ` Florian Weimer
2020-05-03 16:51 ` Rich Felker
2020-05-03 17:19 ` Florian Weimer
2020-05-03 18:18 ` Florian Weimer
2020-05-03 19:09 ` Rich Felker
2020-05-03 19:34 ` Florian Weimer
2020-05-03 19:45 ` Rich Felker
[not found] ` <20200414061620.GI41308@straasha.imrryr.org>
[not found] ` <20200414160641.GC11469@brightrain.aerifal.cx>
[not found] ` <20200414215951.GJ41308@straasha.imrryr.org>
2020-05-19 1:37 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200519023814.GN68966@straasha.imrryr.org>
2020-05-19 5:44 ` Rich Felker [this message]
[not found] ` <20200519090610.GO68966@straasha.imrryr.org>
2020-05-19 14:00 ` Rich Felker
2020-05-19 14:23 ` Wietse Venema
2020-05-19 14:28 ` Rich Felker
[not found] <20200519154542.GC1079@brightrain.aerifal.cx>
[not found] ` <49RN803wcfzJrNv@spike.porcupine.org>
2020-05-19 20:08 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519054427.GN21576@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
--cc=postfix-users@postfix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).