Hauke Lampe
2009-Jun-29 04:55 UTC
openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
Hello. I have an issue with SSHFP lookups using "VerifyHostKeyDNS=yes" and "options edns0" in /etc/resolv.conf (glib >= 2.6). getrrsetbyname() calls res_query() with a maximum buffer size of 65536. The glibc resolver truncates this value to 16 bits, reducing the query's advertised buffer size to 0. BIND appears to ignore it while Unbound returns a server failure. glibc's source suggests that it should retry the query without EDNS0 but it does not. Maybe a timeout triggers earlier. OpenSSH then logs "DNS lookup error: general failure" and continues. I propose reducing ANSWER_BUFFER_SIZE to 65535. Of course, the stub-resolver should probably catch this kind of problem, too. openbsd-compat/getrrsetbyname.c: [...] #define ANSWER_BUFFER_SIZE 1024*64 [...] getrrsetbyname() [...] u_char answer[ANSWER_BUFFER_SIZE]; [...] length = res_query(hostname, (signed int) rdclass, (signed int) rdtype, answer, sizeof(answer)); [...] In the glibc stub-resolver, "sizeof(answer)" is eventually passed on as "anslen" to __res_nopt() in resolv/res_mkquery.c: [...] NS_PUT16(anslen & 0xffff, cp); /* CLASS = UDP payload size */ and sent out to the recursor: | IP 127.0.0.1.44138 > 127.0.0.1.53: 31454+ [1au] SSHFP? orbit.attraktor.org. ar: . OPT UDPsize=0 (48) | IP 127.0.0.1.53 > 127.0.0.1.44138: 31454 ServFail-| [0q] 0/0/0 (12) Hauke. -------------- next part -------------- A non-text attachment was scrubbed... Name: getrrsetbyname-anslen.patch Type: text/x-patch Size: 346 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090629/ec982e49/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090629/ec982e49/attachment-0003.bin>
Darren Tucker
2009-Jun-30 00:57 UTC
openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
Hauke Lampe wrote:> Hello. > > I have an issue with SSHFP lookups using "VerifyHostKeyDNS=yes" and > "options edns0" in /etc/resolv.conf (glib >= 2.6). > > > getrrsetbyname() calls res_query() with a maximum buffer size of 65536. > The glibc resolver truncates this value to 16 bits, reducing the query's > advertised buffer size to 0. > > BIND appears to ignore it while Unbound returns a server failure. > > glibc's source suggests that it should retry the query without EDNS0 but > it does not. Maybe a timeout triggers earlier. > > OpenSSH then logs "DNS lookup error: general failure" and continues. > > I propose reducing ANSWER_BUFFER_SIZE to 65535. Of course, the > stub-resolver should probably catch this kind of problem, too.Sounds reasonable to me. Any objections? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Jakob Schlyter
2009-Jul-01 12:22 UTC
openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
On 29 jun 2009, at 00.55, Hauke Lampe wrote:> I propose reducing ANSWER_BUFFER_SIZE to 65535. Of course, the > stub-resolver should probably catch this kind of problem, too.makes sense to me. jakob
Possibly Parallel Threads
- [Bug 1111] memory leak in openbsd-compat/getrrsetbyname.c, function: getrrsetbyname
- [Bug 1299] Remove redefinition of _res in getrrsetbyname.c
- Redefinition of _res in getrrsetbyname.c
- [Bug 1050] getrrsetbyname compat broken
- feature request: modify getrrsetbyname() to use libunbound