Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver #51152

Open
mateusz834 opened this issue Feb 11, 2022 · 6 comments
Labels
NeedsInvestigation
Milestone

Comments

@mateusz834
Copy link

@mateusz834 mateusz834 commented Feb 11, 2022

The /etc/resolv.conf file often includes: options edns0 trust-ad. Golang does not recognize either of those options, so it fallbacks to the cgo reoslver.
I think that trust-ad should be silently ignored. Golang does not use the ad flag anywhere, so it should be safe to silently ignore that option and not cause fallback to the cgo resolver.
Look here for details about edns0 option: #51127

@cherrymui cherrymui changed the title net: silently ignore trust-ad option in /etc/resolv.conf not to cause fallback to the cgo resolver. net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver Feb 11, 2022
@cherrymui cherrymui added the NeedsInvestigation label Feb 11, 2022
@cherrymui cherrymui added this to the Backlog milestone Feb 11, 2022
@cherrymui
Copy link
Contributor

@cherrymui cherrymui commented Feb 11, 2022

@DasSkelett
Copy link

@DasSkelett DasSkelett commented Feb 13, 2022

This would make sense, Go doesn't have the ability to do DNSSEC validation, so there isn't any alternative to trusting the AD bit.

There is one difference in behavior for glibc with this option though: If it's set, glibc sets the AD bit in queries, otherwise it doesn't. Some DNS recursors might be configured to only do DNSSEC validation if the AD (or DO) bit is set, and otherwise return everything even if it's bogus. (see PowerDNS docs: dnssec=process)
So in theory this could lead to Go receiving bogus data while it would've been filtered for the CGO resolver.
In practice however I think this recursor behavior is getting rare, most of them are configured to always validate DNSSEC (regardless of AD/DO bit) nowadays.

@mateusz834
Copy link
Author

@mateusz834 mateusz834 commented Feb 13, 2022

Didn't know about that behavior, but it might make sense to follow the glibc implementation, and add the AD flag to queries when trust-ad is present.

@mateusz834
Copy link
Author

@mateusz834 mateusz834 commented Feb 14, 2022

Thanks for including that link to the PowerDNS docs. It is even the default behavior of PowerDNS since 4.5.0.
It can still affect programs when trust-ad is set and the go resolver is forced (via GODEBUG env), compiled statically without CGO or using the netgo flag.
I don't know if forcing the go resolver is common, but someone might be doing it.

@gopherbot
Copy link

@gopherbot gopherbot commented May 25, 2022

Change https://go.dev/cl/408654 mentions this issue: dns/dnsmessage: add AD flag support

@mateusz834
Copy link
Author

@mateusz834 mateusz834 commented May 25, 2022

This are the changes that I will create a PR for: trust-ad
But I don't know if I can create it before the merge of golang/net#136 and update of the vendor directory (in this repo).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

4 participants