Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#39555 - [pdnsd] resolver problem in dual stack setup
Attached to Project:
Community Packages
Opened by Christian Hesse (eworm) - Thursday, 20 March 2014, 09:15 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 30 May 2014, 13:05 GMT
Opened by Christian Hesse (eworm) - Thursday, 20 March 2014, 09:15 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 30 May 2014, 13:05 GMT
|
DetailsDescription:
This problem happens on systems with dual stack setup, so getaddrinfo() tries to resolv both, A (for IPv4) and AAAA (for IPv6) records. If either of both requests fails getaddrinfo() sends A and AAAA queries in one TCP connection. pdnsd by default answers just one query and the complete answer is then ignored by system's resolver, resulting in resolver error. This happens really seldom, but you may have seen it when resolving keys.gnupg.net or any Google address with lots of records. The solution is to compile pdnsd with --enable-tcp-subseq, which allows it to answer more than one query in a tcp connection, but also makes DoSing easier. Alternativly you may want to apply my patch (I have already sent for inclusion), which allows up to two queries/answers in a tcp connection without this option: https://gitorious.org/pdnsd/pdnsd/commit/919fe8ce759a8caa9f5b785a1f94ab9cb2bf363a Additional info: pdnsd 1.2.9.a-4 |
This task depends upon
Closed by Sergej Pupykin (sergej)
Friday, 30 May 2014, 13:05 GMT
Reason for closing: Upstream
Additional comments about closing: reported, will wait for new pdnsd version
Friday, 30 May 2014, 13:05 GMT
Reason for closing: Upstream
Additional comments about closing: reported, will wait for new pdnsd version
This is from the last mail I received from Paul:
> Thanks for pursuing this problem. I agree that your patch seems like a
> good compromise between compatibility and security. I think I will make
> the configure option --enable-tcp-subseq obsolete and replace it with
> something like --with-tcp-max-query which will have a default value of
> 3. The code in src/dns_answer.c will become something like this:
>
> #if !TCP_MAX_QUERY
> for(;;)
> #else
> int i;
> for (i = 0; i <TCP_MAX_QUERY; ++i)
> #endif
Perhaps I should prepare a patch myself...
https://gitorious.org/pdnsd/pdnsd/commit/8511b2a97c04ee235b0799db47fa420bd4a23b87