[musl] questions about musl DNS resolver

[musl] questions about musl DNS resolver

[Ayush Agarwal]

Hi,

I was reading about how DNS works in Linux distributions and I noticed
some differences in the way libc resolvers work in glibc and in musl.
I hope it's okay if I ask a few (potentially stupid) questions?

1. Why not offer a different man page on musl distributions for pages
like resolv.conf(5) and resolver(3) considering how their
implementation details and behavior are different from glibc? Is not
offering them intentional or does it require someone to step up and
write the documentation?

2. Which options in the resolv.conf(5) man page are supported by musl?
I know "search" and "nameserver" are supported but what about
"options" like "ndots", "edns0", "use-vc", "trust-ad"?

3. It seems that version 1.2.1 added support for DNSSEC queries but
how do I confirm if DNSSEC queries are sent and received with musl? Do
I need to use the "option edns0 trust-ad" directive in resolv.conf for
it work? The usual suspects like drill and kdig seem to use their own
resolver.

4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback
intended to work automatically when the size of a DNS query is large
or does it need any configuration?

Thanks,
Ayush

Re: [musl] questions about musl DNS resolver

[Markus Wichmann]

Am Sat, Nov 04, 2023 at 12:12:58PM +0530 schrieb Ayush Agarwal:
> Hi,
>
> I was reading about how DNS works in Linux distributions and I noticed
> some differences in the way libc resolvers work in glibc and in musl.
> I hope it's okay if I ask a few (potentially stupid) questions?
>
> 1. Why not offer a different man page on musl distributions for pages
> like resolv.conf(5) and resolver(3) considering how their
> implementation details and behavior are different from glibc? Is not
> offering them intentional or does it require someone to step up and
> write the documentation?
>

Well, for one, because musl doesn't offer /any/ manpages. For two,
because it could change. Rich may decide to add support for more options
if someone makes a convincing-enough case.

What you have to understand is that musl only contains a stub resolver.
Its job is to send a request to a bunch of recursive resolvers and
collate their answers. And those resolvers are trusted implicitly. That
is why the only servers you should have in your resolv.conf are servers
you trust, and you trust the path to them as well. If you have a laptop
and travel a lot and want to use dodgy airport Wifi, you may want to run
your own DNS resolver and use 127.0.0.1 in resolv.conf.

See, if you put 8.8.8.8 in there, then Google is happy about that, but
so is the Russian hacker between you and Google.

> 2. Which options in the resolv.conf(5) man page are supported by musl?
> I know "search" and "nameserver" are supported but what about
> "options" like "ndots", "edns0", "use-vc", "trust-ad"?
>

The code is the documentation. At the moment I see an implementation for
the options ndots, attempts, and timeout, as well as nameserver and
domain or search (where the last two are equivalent). Note that musl
only supports up to three nameservers, because they are only for
increased reliability of the system. All nameservers are supposed to
implement the same view of the namespace. If you want something else,
like a union of different namespaces, you must use or implement a DNS
proxy like dnsmasq.

> 3. It seems that version 1.2.1 added support for DNSSEC queries but
> how do I confirm if DNSSEC queries are sent and received with musl? Do
> I need to use the "option edns0 trust-ad" directive in resolv.conf for
> it work? The usual suspects like drill and kdig seem to use their own
> resolver.
>
 I do not see musl itself use any kind of DNSSEC query. Not sure where
you got this. I do remember that some time ago, Rich converted his
bespoke internal DNS API into the de-facto standard libresolv interface.
And you can use that to make DNSSEC queries if you so choose. But musl
itself doesn't do any DNSSEC.

> 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback
> intended to work automatically when the size of a DNS query is large
> or does it need any configuration?
>

That is indeed automatic, and triggered by the TC bit in the response.

Ciao,
Markus

Re: [musl] questions about musl DNS resolver

[Rich Felker]

On Sat, Nov 04, 2023 at 12:12:58PM +0530, Ayush Agarwal wrote:
> Hi,
> 
> I was reading about how DNS works in Linux distributions and I noticed
> some differences in the way libc resolvers work in glibc and in musl.
> I hope it's okay if I ask a few (potentially stupid) questions?
> 
> 1. Why not offer a different man page on musl distributions for pages
> like resolv.conf(5) and resolver(3) considering how their
> implementation details and behavior are different from glibc? Is not
> offering them intentional or does it require someone to step up and
> write the documentation?

Ideally the linux-man provided ones would document which things are
glibcisms vs widely available elsewhere, but short of that, maybe it
would be nice for someone to maintain musl-specific versions for
distros to use.

> 2. Which options in the resolv.conf(5) man page are supported by musl?
> I know "search" and "nameserver" are supported but what about
> "options" like "ndots", "edns0", "use-vc", "trust-ad"?

search/domain, nameserver, and options: ndots, attempts, and timeout.

trust-ad would be a no-op; it's always on. glibc's having it optional
and off by default badly breaks anything trying to use dnssec/dane
right.

edns0 is not supported, intentionally because it would require munging
and unmunging queries behind the caller's back (or treating
libc-internal queries differently). use-vc is not supported because it
doesn't really play well with our parallel query model or stateless
design.

> 3. It seems that version 1.2.1 added support for DNSSEC queries but
> how do I confirm if DNSSEC queries are sent and received with musl? Do
> I need to use the "option edns0 trust-ad" directive in resolv.conf for
> it work? The usual suspects like drill and kdig seem to use their own
> resolver.

I'm not sure what you man by "DNSSEC queries". The normal application
usage for DNSSEC that's supported by musl is for the stub resolver to
make a normal query, with the AD bit set, to a trusted (ideally should
run on localhost so trust is not crossing network boundaries)
nameserver that will validate DNSSEC, ServFail on anything
invalid/spoofed, and report via the AD bit of the answer packet
whether the result is DNSSEC-protected.

As of musl 1.2.1, the AD bit of the query is always set when you use
the res_* API. All you have to do is interpret it in the answer.

If you want to actually do DNSSEC validation yourself, or just see the
RRSIG, etc. records, you need to construct a suitable query in EDNS0
form with the DO bit set. It can be sent (and the answer received) via
the res_send function. Strictly speaking this does not depend on the
musl version, but you'll need 1.2.4+ to get answers larger than 512
bytes (which these answers usually are).

The resolv.conf edns0 option has nothing to do with this. It's about
whether the stub resolver's construction of queries will make them in
EDNS0 form, not whether res_send will accept EDNS0-form packets from
the caller.

> 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback
> intended to work automatically when the size of a DNS query is large
> or does it need any configuration?

Yes, it works automatically. Originally I intended to add capability
to skip fallback if there's a non-empty answer list in the truncated
packet, which might be an option at some point in the future, but
right now it always happens, and by default it will continute to
automatically happen.

So, TL;DR: no configuration is needed for any of the stuff you want.
It just all works, or at least is intended to. If you run into
problems, please reach out here for help.

Rich

Re: [musl] questions about musl DNS resolver

[Ayush Agarwal]

On Sat, Nov 4, 2023, at 4:19 PM, Markus Wichmann wrote:
> Well, for one, because musl doesn't offer /any/ manpages. For two,
> because it could change. Rich may decide to add support for more
> options if someone makes a convincing-enough case.

I don't think not offering man pages can be justified by changes in
software. Any reasonably popular program used on Linux distributions,
such as GNU coreutils, also changes over time but it still comes with
man pages and info pages, even if some of the commands are quite
simple, such as base64.

> I do not see musl itself use any kind of DNSSEC query. Not sure
> where you got this.

Looks like I phrased that question ambiguously. Sorry about that. Rich
has mentioned the answer I was looking for in his response.

Thanks,
Ayush

Re: [musl] questions about musl DNS resolver

[Ayush Agarwal]

On Sat, Nov 4, 2023, at 9:11 PM, Rich Felker wrote:
> Ideally the linux-man provided ones would document which things are
> glibcisms vs widely available elsewhere, but short of that, maybe it
> would be nice for someone to maintain musl-specific versions for
> distros to use.

Yeah, I thought it was weird that the resolver(3) and resolv.conf(5)
man pages offered by Linux are written with only glibc in mind. But
unless the linux-man upstream is willing to document different
behaviours by multiple libc programs, ideally, it would indeed be
helpful if musl specific behavior is documented in man pages or any
other form of documentation.

> So, TL;DR: no configuration is needed for any of the stuff you want.
> It just all works, or at least is intended to. If you run into
> problems, please reach out here for help.

Sure! Thank you for your response. It was quite helpful.

Regards,
Ayush