From: Florian Weimer <fw@deneb.enyo.de>
To: Rich Felker <dalias@libc.org>
Cc: musl@lists.openwall.com
Subject: Re: [musl] TCP support in the stub resolver
Date: Tue, 21 Apr 2020 19:26:08 +0200 [thread overview]
Message-ID: <87zhb4px73.fsf@mid.deneb.enyo.de> (raw)
In-Reply-To: <20200421150241.GL11469@brightrain.aerifal.cx> (Rich Felker's message of "Tue, 21 Apr 2020 11:02:41 -0400")
* Rich Felker:
>> I'm excited that Fedora plans to add a local caching resolver by
>> default. It will help with a lot of these issues.
>
> That's great news! Will it be DNSSEC-enforcing by default?
No. It is currently not even DNSSEC-aware, in the sense that you
can't get any DNSSEC data from it. That's the sad part.
>> > BTW, am I mistaken or can TCP fastopen make it so you can get a DNS
>> > reply with no additional round-trips? (query in the payload with
>> > fastopen, response sent immediately after SYN-ACK before receiving ACK
>> > from client, and nobody has to wait for connection to be closed) Of
>> > course there are problems with fastopen that lead to it often being
>> > disabled so it's not a full substitute for UDP.
>>
>> There's no handshake to enable it, so it would have to be an
>> /etc/resolv.conf setting. It's also not clear how you would perform
>> auto-detection that works across arbitrary middleboxen. I don't think
>> it's useful for an in-process stub resolver.
>
> The kernel automatically does it,
Surely not, it causes too many interoperability issues for that. It's
also difficult to fit it into the BSD sockets API. As far as I can
see, you have to use sendmsg or sendto with MSG_FASTOPEN instead of a
connect call to establish the connection.
(When the kernel says that it's enabled by default, it means that you
can use MSG_FASTOPEN with sysctl tweaks.)
>> The other problem with EDNS is that for sizes on the large end
>> (certainly above the MTU), it depends on fragmentation. Fragmentation
>> is completely insecure because in DNS packets, all the randomness is
>> in one fragment, so packet spoofing only needs to guess the fragment
>> ID (and the recipient IP stack will provide the UDP port for free).
>> Some of us have been working on eliminating fragmented DNS responses
>> for that reason, which unfortunately reduces the reach of EDNS
>> somewhat.
>
> Well DNS is completely insecure anyway unless you're validating DNSSEC
> locally.
It's not, it works quite well actually in the absence of on-path
attackers.
Even DNSSEC still needs that level of security because a resolver
often has to use unsigned data to figure out where to send the next
query. If DNS were completely insecure, DNSSEC would still break
because it's prone to denial-of-service attacks on the unsigned
routing data.
> Yes the fragmentation issue makes it a lot easier to blindly
> spoof (as opposed to needing ability to intercept/MITM).
And that difference does matter.
>> Above 4096 bytes, pretty much all recursive resolvers will send TC
>> responses even if the client offers a larger buffer size. This means
>> for correctness, you cannot do away with TCP support.
>
> In that case doing EDNS at all seems a lot less useful. Fragmentation
> is always a possibility above min MTU (essentially same limit as
> original UDP DNS) and the large responses are almost surely things you
> do want to avoid forgery on, which leads me back around to thinking
> that if you want them you really really need to be running a local
> DNSSEC validating nameserver and then can just use-vc...
Why use use-vc at all? Some software *will* break because it assumes
that certain libc calls do not keep open some random file descriptor.
>> Some implementations have used a longer sequence of transports: DNS
>> over UDP, EDNS over UDP, and finally TCP. That avoids EDNS
>> pseudo-negotiation until it is actually needed. I'm not aware of any
>> stub resolvers doing that, though.
>
> Yeah, each fallback is just going to increase total latency though,
> very badly if they're all remote.
>
> Actually, the current musl approach adapted to this would be to just
> do them all concurrently: DNS/UDP, EDNS/UDP, and DNS/TCP, and accept
> the first answer that's not truncated or broken server
> (servfail/formerr/notimp), basically same as we do now but with more
> choices. But that's getting heavier on unwanted network traffic...
Aggressive parallel queries tend to break middleboxes. Even A/AAAA is
problematic. Good interoperability and good performance are difficult
to obtain, particularly from short-lived processes.
next prev parent reply other threads:[~2020-04-21 17:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fce05ab0ed102dec10e4163dd4ce5d8095d2ffd7.camel@web.de>
[not found] ` <20200412211807.GC41308@straasha.imrryr.org>
[not found] ` <d64b1b8801cc5350e9d27dd109dd2446e7d4b860.camel@web.de>
[not found] ` <20200413024746.GD41308@straasha.imrryr.org>
[not found] ` <b38668e94b2781003a14c6dca3d41edf33e347e2.camel@web.de>
[not found] ` <A2FE67B5-A9A9-4A0F-A59D-78FF2AB992B7@dukhovni.org>
[not found] ` <f79a9f0c369607fc38bef06fec521eaf3ab23d8c.camel@web.de>
[not found] ` <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org>
[not found] ` <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de>
[not found] ` <CECAFB36-DA1B-4EFB-ACD1-294E3B121B2E@dukhovni.org>
2020-04-13 18:35 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200413190412.GF41308@straasha.imrryr.org>
[not found] ` <20200413193505.GY11469@brightrain.aerifal.cx>
[not found] ` <20200413214138.GG41308@straasha.imrryr.org>
[not found] ` <20200414035303.GZ11469@brightrain.aerifal.cx>
[not found] ` <87v9m0hdjk.fsf@mid.deneb.enyo.de>
[not found] ` <20200415180149.GH11469@brightrain.aerifal.cx>
[not found] ` <87imi0haf7.fsf@mid.deneb.enyo.de>
[not found] ` <20200417034059.GF11469@brightrain.aerifal.cx>
[not found] ` <878siucvqd.fsf@mid.deneb.enyo.de>
2020-04-17 16:07 ` Rich Felker
2020-04-18 17:14 ` [musl] TCP support in the stub resolver (was: Re: Outgoing DANE not working) Florian Weimer
2020-04-19 0:03 ` Rich Felker
2020-04-19 8:12 ` [musl] TCP support in the stub resolver Florian Weimer
2020-04-20 1:24 ` Rich Felker
2020-04-20 6:26 ` Florian Weimer
2020-04-20 17:39 ` Rich Felker
2020-04-21 9:48 ` Florian Weimer
2020-04-21 15:02 ` Rich Felker
2020-04-21 17:26 ` Florian Weimer [this message]
2020-05-01 22:02 ` Rich Felker
2020-05-02 15:28 ` Florian Weimer
2020-05-02 15:44 ` Rich Felker
2020-05-02 22:52 ` Bartosz Brachaczek
2020-05-03 8:46 ` Florian Weimer
2020-05-03 16:51 ` Rich Felker
2020-05-03 17:19 ` Florian Weimer
2020-05-03 18:18 ` Florian Weimer
2020-05-03 19:09 ` Rich Felker
2020-05-03 19:34 ` Florian Weimer
2020-05-03 19:45 ` Rich Felker
[not found] ` <20200414061620.GI41308@straasha.imrryr.org>
[not found] ` <20200414160641.GC11469@brightrain.aerifal.cx>
[not found] ` <20200414215951.GJ41308@straasha.imrryr.org>
2020-05-19 1:37 ` [musl] Re: Outgoing DANE not working Rich Felker
[not found] ` <20200519023814.GN68966@straasha.imrryr.org>
2020-05-19 5:44 ` Rich Felker
[not found] ` <20200519090610.GO68966@straasha.imrryr.org>
2020-05-19 14:00 ` Rich Felker
2020-05-19 14:23 ` Wietse Venema
2020-05-19 14:28 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zhb4px73.fsf@mid.deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).