openbsd-compat/getrrsetbyname.c: answer buffer size too large for EDNS0 and glibc
Darren Tucker
dtucker at zip.com.au
Tue Jun 30 10:57:05 EST 2009
Hauke Lampe wrote:
> Hello.
>
> I have an issue with SSHFP lookups using "VerifyHostKeyDNS=yes" and
> "options edns0" in /etc/resolv.conf (glib >= 2.6).
>
>
> getrrsetbyname() calls res_query() with a maximum buffer size of 65536.
> The glibc resolver truncates this value to 16 bits, reducing the query's
> advertised buffer size to 0.
>
> BIND appears to ignore it while Unbound returns a server failure.
>
> glibc's source suggests that it should retry the query without EDNS0 but
> it does not. Maybe a timeout triggers earlier.
>
> OpenSSH then logs "DNS lookup error: general failure" and continues.
>
> I propose reducing ANSWER_BUFFER_SIZE to 65535. Of course, the
> stub-resolver should probably catch this kind of problem, too.
Sounds reasonable to me. Any objections?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list