From: "Briner Cédric (DI)" <Cedric.Briner@etat.ge.ch>
To: "musl@lists.openwall.com" <musl@lists.openwall.com>
Subject: RE: [musl] resolv.conf and ndots:5
Date: Thu, 16 Mar 2023 12:17:38 +0000 [thread overview]
Message-ID: <94e1e19cea2b4433a138688b16fb5dfc@etat.ge.ch> (raw)
In-Reply-To: <20230313163558.GP4163@brightrain.aerifal.cx>
Hi Rich and Quentin,
> > Hi,
> I followed up as you were leaving IRC:
Sorry for this, my bad !
> > ge.ch.app-5580-capitastra-rec-01.svc.cluster.local
> > [pid 1228780] recvfrom(3, "\2567\205\200\0\1\0\0\0\1\0\1\2ge\2ch\4ceti\7etat-ge\2"..., 512, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.177.0.10")}, [16]) = 140
> ^^^^^^^^
>
> The low 4 bits of the underlined part of the response packet form
> RCODE=0, success. This is 10.177.0.10 saying the queried name does
> exist and just does not have an A record. (It might have AAAA records,
> MX records, whatever -- we can't know.)
>
> Since normal recursive nameservers on the public internet correctly
> report RCODE=3 (NxDomain) for ge.ch.ceti.etat-ge.ch, something in your
> k8s cluster must be rewriting the answer to give an incorrect result.
>
> glibc (like most traditional stub resolvers) handles this case
> sloppily and just treats NODATA and NxDomain the same, continuing
> search. This makes the results potentially unstable depending on
> whether the caller requested both v4 and v6 results or just one or the
> other, and semantically mismatches what's in DNS. musl handles this
> very intentionally with the aim of delivering only consistent results.
Thanks you for the detailed and precised response provided. That helped us a lot !
What I’ve learned is:
- that NODATA is considered as a valid answer, showing that this entry belong to the DNS ceti.etat-ge.ch
- that the dig command shows information on this respect in the section ->>HEADER<<-
- it used to be status: NOERROR (saying that it belongs to this DNS, but have not an A record)
- and it is now status:NXDOMAIN (saying that ge.ch.ceti.etat-ge.ch does not belong to this DNS)
- that musl has a different algorithm (stricter to the DNS rfc) than the other libc, which gives different results in our case
> Rich
With all my considerations.
Cedric (from Switzerland)
prev parent reply other threads:[~2023-03-16 12:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-13 15:30 Briner Cédric (DI)
2023-03-13 16:35 ` Rich Felker
2023-03-13 19:30 ` Quentin Rameau
2023-03-16 12:17 ` Briner Cédric (DI) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94e1e19cea2b4433a138688b16fb5dfc@etat.ge.ch \
--to=cedric.briner@etat.ge.ch \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).