From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 18223 invoked from network); 4 Nov 2023 10:50:16 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 4 Nov 2023 10:50:16 -0000 Received: (qmail 11273 invoked by uid 550); 4 Nov 2023 10:50:12 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 10214 invoked from network); 4 Nov 2023 10:50:12 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1699095000; x=1699699800; i=nullplan@gmx.net; bh=xtknvnEOzOwjlWvdHer9MbWNCkOOpnvelbeLEYj915Q=; h=X-UI-Sender-Class:Date:From:To:Subject:References:In-Reply-To; b=HS7GoVe3XS8QrQyOkr5bMpw8SMMpCUZC7dsjiuYpMF2HRuvo34DuSsIcEmBy0D0s KClTuxNsOovfrCQYix87MkCuM6ASg1eyf0CYLr0L2n38vqy9k51bKNnRtcfMhGFiX bTITNSpBQ/CHOfc5Rat8jdyvHzVJtnN9PnJ/FUD6QthXEceNG5ijabHI+bL9KDmr0 pi/SbejeyzisLuHKh+j7c+NhFub5fiL1r5PMiUSrNOZEh0NAXPWNTRh8/1Vp/jEpB 8pw+iSpRC3PogES7BuEH8gnN9O4aXnfGpkxwSYwTfIxp58QPmOvV9bLxeh8UfccVz jJhhiFIy2GFPF3pRow== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Date: Sat, 4 Nov 2023 11:49:58 +0100 From: Markus Wichmann To: musl@lists.openwall.com Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:30LrRp98bzV3Av4SexqllnVJivKSJRyYDfmvna8L5BHosvmh85U OSe8NVu0NT4uF7cCQkhFS+xw2giNZcq6uxhUdy0tqlC+v8HJRq9Xq4V2rNp17JDS8/iZx8T zwskIhBE4XpAc0Izmuy/DuXmKzE90NYHmLW+GONqRBnSO9B0etZp9T0IrbINcOp/frWtM3v Aunx4kEXtcknug1C/7NFw== UI-OutboundReport: notjunk:1;M01:P0:7SE/tAXPFYc=;IZEgrY5p60W9WXbQtzaECa1jvN0 WN0VJTp8keRf5wLsSAnteRmLjfG10olz0fi+bjgr9A220Pcf9CUiKQS3p2OiIvk1+SdBiqXWz rhVRvpWkuxAvyKZrB/g/IDShxpk2HLH9u40fOloPIpYF6Ups4y6mWi7LOYF3rhcg//VyPSGdY DYmdzfoYHuTlSKDEyn87nW3+KxgMfoYLshxlaXaWx1GAKo7Hrl/EB8ZTwMlcXAN216nf3fAac r3/TTU1OA73h4mfJwcR7qSKpnPdc6/Ip5euofP23s1RDuyE6Pp70DnOv+79wXI8TUn4rnHSuH +CcP9w5Pyd4+9O2OluueZ81FB2z541EjROweGgNmciCStXDIIlcXzk2gpT5eSK/+/LqCEKuTq GWhEYREKlxkFZEWGDB16+Tqq4cKc+aPYdF3s4to/cdfyQEOGA+3tfhSSL5+DNQ9mVPofmgi+0 wT99iPJ5NQVv/yi7NV5IMVZkrRKkxu9DwddBABpm9+s/yUqC6NrBxuWam2lUiuCyboircCXSv RjgHULUOHeigp3qjZ3khc4Z2QnTLmsa+Ey6g9wjOTpCNYC0aFRQp8Xm39VJW9blHZUugAzNW0 2ainrKtKqMa5GSbyDBIl1Bj7xTSFswNCxJKmD48I+lMMgWQ9UQS/o2tOK7GAbpdqVH2yrh/xG BNAjlDnWjx1F7tqGfD9j8QjStkb3UL2D6WCH8dZ5yBqET8rNtnXt+2XZvRvRlF4nuCcarNzTv 9FAwE7PZdAvfPk5CRu4juf2ol8nG87sD7MuaaPo3YswMvLgHm+j2zsBCtEO7eJjCyf+0z7vB4 EAgM2YVwINe8Y7goZnTfDXALmJGtKQYymjE/3NLqe1sKY1op57J46ZTibFBpJSzewhjc9etb+ Yq02nMKRXrH6uED7nxIjujiwjZfV8P9xg5Trs0Uq2Nf1JL5RmXBWvqY7bA0d6y5bDFThCFpQG vEj9dw== Content-Transfer-Encoding: quoted-printable Subject: Re: [musl] questions about musl DNS resolver Am Sat, Nov 04, 2023 at 12:12:58PM +0530 schrieb Ayush Agarwal: > Hi, > > I was reading about how DNS works in Linux distributions and I noticed > some differences in the way libc resolvers work in glibc and in musl. > I hope it's okay if I ask a few (potentially stupid) questions? > > 1. Why not offer a different man page on musl distributions for pages > like resolv.conf(5) and resolver(3) considering how their > implementation details and behavior are different from glibc? Is not > offering them intentional or does it require someone to step up and > write the documentation? > Well, for one, because musl doesn't offer /any/ manpages. For two, because it could change. Rich may decide to add support for more options if someone makes a convincing-enough case. What you have to understand is that musl only contains a stub resolver. Its job is to send a request to a bunch of recursive resolvers and collate their answers. And those resolvers are trusted implicitly. That is why the only servers you should have in your resolv.conf are servers you trust, and you trust the path to them as well. If you have a laptop and travel a lot and want to use dodgy airport Wifi, you may want to run your own DNS resolver and use 127.0.0.1 in resolv.conf. See, if you put 8.8.8.8 in there, then Google is happy about that, but so is the Russian hacker between you and Google. > 2. Which options in the resolv.conf(5) man page are supported by musl? > I know "search" and "nameserver" are supported but what about > "options" like "ndots", "edns0", "use-vc", "trust-ad"? > The code is the documentation. At the moment I see an implementation for the options ndots, attempts, and timeout, as well as nameserver and domain or search (where the last two are equivalent). Note that musl only supports up to three nameservers, because they are only for increased reliability of the system. All nameservers are supposed to implement the same view of the namespace. If you want something else, like a union of different namespaces, you must use or implement a DNS proxy like dnsmasq. > 3. It seems that version 1.2.1 added support for DNSSEC queries but > how do I confirm if DNSSEC queries are sent and received with musl? Do > I need to use the "option edns0 trust-ad" directive in resolv.conf for > it work? The usual suspects like drill and kdig seem to use their own > resolver. > I do not see musl itself use any kind of DNSSEC query. Not sure where you got this. I do remember that some time ago, Rich converted his bespoke internal DNS API into the de-facto standard libresolv interface. And you can use that to make DNSSEC queries if you so choose. But musl itself doesn't do any DNSSEC. > 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback > intended to work automatically when the size of a DNS query is large > or does it need any configuration? > That is indeed automatic, and triggered by the TC bit in the response. Ciao, Markus