On Wed, Jul 05, 2023 at 12:18:11PM +1200, Hamish Forbes wrote: > On Wed, 5 Jul 2023 at 04:06, Rich Felker wrote: > > > > On Tue, Jul 04, 2023 at 04:19:16PM +1200, Hamish Forbes wrote: > > > On Tue, 4 Jul 2023 at 15:29, Rich Felker wrote: > > It's as safe as it was before, and it's always been the intended > > behavior. Aside from the CNAME chain issue which wasn't even realized > > at the time, use of TCP for getaddrinfo is not about getting more > > answers than fit in the UDP response size. It's about handling the > > case where the recursive server returns a truncated response with zero > > answer records instead of the max number that fit. It turned out this > > could also occur with a single CNAME where both the queried name and > > the CNAME target take up nearly the full 255 length. > > > > As for why not to care about more results, getaddrinfo does not > > provide a precise view of DNS space. It takes a hostname and gives you > > a set of addresses you can use to attempt to connect to that host (or > > bind if that name is your own, etc.). There's very little utility in > > timing out more than 47 times then continuing to try more addresses > > rather than just failing. "Our name resolves to 100 addresses and you > > have to try all of them to find the one that works" is not a viable > > configuration. (A lot of software does not even iterate and try > > fallbacks at all, but only attempts to use the first one, typically > > round-robin rotated by the nameserver.) > > > > Anyway, if there are objections to this behavior, it's a completely > > separate issue from handling long CNAME chains. > > Ah yeah, ok that makes sense. > I wasn't thinking about it as "we just need any address". > No objections to that from me! > > > From my reading of your links, and > > > > https://groups.google.com/g/comp.protocols.dns.bind/c/rXici9NvIqI > > > > I don't think max-recursion-depth is related to CNAMEs. It's the depth > > of delegation recursion. The max CNAME chain length is separate, and > > in unbound terminology is the number of "restarts". Unbound's limit as > > you've found is 11. BIND's is supposedly hard-coded at 16. > > > > Assuming the recursive server uses pointers properly, max size of a > > length-N CNAME chain is (N+1)*(255+epsilon). This comes out to a > > little over 4k for the BIND limit, and that's assuming max-length > > names with no further redundancy. I would expect the real-world need > > is considerably lower than this, and that the Unbound default limit on > > chain length also suffices in practice (or it wouldn't be the default > > for a widely used recursive server). So, for example, using a 4k > > buffer (adding a little over 3k to what we have now, which already had > > enough for one CNAME) should solve the problem entirely. > > > > Does this sound like an okay fix to you? > > Sounds good to me! Great. Writing up the commit message, I figured it's not much larger to go with supporting the full 16, and easier to justify. Proposed patch attached. Rich