Re: How to disable DNS lookups?

[Viktor Dukhovni]

On Wed, Jul 26, 2017 at 03:08:30PM -0700, Henry B (Hank) Hotz, CISSP wrote:

> > Then the explicit trailing dots in /etc/hosts look indeed
> > like a reasonable trade-off.
> 
> Actually, isn’t the trailing dot just a red herring?

No.

> The RR is guaranteed to return a name which has an A/ record.

It is not.  SRV RRs can and sometimes do reference names that don't exist.
Ditto with MX records, ...  Even when the name exists a lookup can
time out.

> therefore no search list will be exercised. period! The first
> lookup must succeed, by design.

Whether the first lookup is absolute or uses the search list depends on
"ndots" (which Heimdal does not control and has no knowledge of), and
in any case that lookup can fail.

-- 
Viktor.

Re: How to disable DNS lookups?

[Henry B (Hank) Hotz, CISSP]

I disagree. 

While you are technically correct, in my experience most SAs know very well 
what services are provided and where, but don’t know enough about DNS to know 
what a RR is. For that level of knowledge, having /etc/hosts take precedence is 
exactly the “least surprise” behavior.

> On Jul 26, 2017, at 11:25 AM, Thor Lancelot Simon  wrote:
> 
> On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
>> 
>> Right, the point is not that you can't override with /etc/krb5.conf, the
>> point is that /etc/hosts normally overrides everything without having to
>> hunt down software-specific configuration files.
> 
> But in this case /etc/hosts clearly *can't* "override everything".  It
> cannot override the SRV records that are used to find the KDC via DNS,
> because there is no syntax to express a SRV record in /etc/hosts; and
> because of that, it is *a priori impossible* to know what hostname
> you would have to "override" in /etc/hosts (were that supported) to
> redirect Kerberos queries for a given realm to a particular IP address.
> 
> You can't even know whether DNS is used to look up the KDC or not without
> looking at krb5.conf.
> 
> Despite the expectation which seems reasonable at first glance that
> /etc/hosts could correctly be used to override a KDC in this way, in
> fact it works only in a few special cases - the ones where DNS is
> in use to find the KDC via SRV record *and* you can be 100% certain
> that SRV record won't change.  Not so useful.
> 
> Rather than relying on this, if you want to hardcode your KDC address,
> far better to turn off DNS lookup of the KDC, use krb5.conf, and be
> entirely manual and predictable, instead of half-manual, half-predictable,
> and half...donkeyed.
> 
> Thor

Personal email.  hbh...@oxy.edu

Re: How to disable DNS lookups?

[Henry B (Hank) Hotz, CISSP]

> On Jul 26, 2017, at 10:29 AM, u-hd-p...@aetey.se wrote:
> 
> On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
>> Viktor Dukhovni  writes:
>>> 2. Look up same name in DNS, return address(es) if found
>> 
>>> instead, in step 2, we may get undesirable, incorrect and/or costly
>>> interactions with the stub resolver's domain search list.  The name in
>>> the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
>>> RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
>>> name should not be subjected to the DNS search list.
>> 
>> Ah!  Thank you.  That helps me understand the problem you're trying to
>> solve.
> 
> +1
> 
> Then the explicit trailing dots in /etc/hosts look indeed
> like a reasonable trade-off.
> 
> Rune

Actually, isn’t the trailing dot just a red herring?

The RR is guaranteed to return a name which has an A/ record, therefore no 
search list will be exercised. period! The first lookup must 
succeed, by design.

Personal email.  hbh...@oxy.edu

Re: How to disable DNS lookups?

[Henry B (Hank) Hotz, CISSP]

> On Jul 25, 2017, at 6:30 PM, Roland C. Dowdeswell 
>  wrote:
> 
> And there are no KDCs configured in /etc/krb5.conf for the realm that
> you are querying, you will use DNS SRV RRs.  And, we think that once you
> have retrieved hostnames from DNS SRV RRs that they should be looked up
> only in DNS and not subjected to search lists and the like.

I’ll grant that this is a level of detail which standards don’t address, and 
where consensus may legitimately be impossible. FWIW my opinion is that an SA 
responsible for deploying/testing a machine may know nothing about krb5 config 
files, but need to point at a different infrastructure. 

For the scenario you describe where RRs are necessary, the poor SA will be very 
surprised if his entries in /etc/hosts are ignored. He will be especially 
surprised if the OS has an nsswitch.conf and he has put hosts before DNS.  (I 
might even have run into a scenario like that on Solaris 9, but I never 
completely debugged it so I’m not sure.)



I assume you at least have code in there to sort the RR entries by 
priority/weight before using the optimistically-provided A/ records.

Personal email.  hbh...@oxy.edu

Re: How to disable DNS lookups?

[Thor Lancelot Simon]

On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
> 
> Right, the point is not that you can't override with /etc/krb5.conf, the
> point is that /etc/hosts normally overrides everything without having to
> hunt down software-specific configuration files.

But in this case /etc/hosts clearly *can't* "override everything".  It
cannot override the SRV records that are used to find the KDC via DNS,
because there is no syntax to express a SRV record in /etc/hosts; and
because of that, it is *a priori impossible* to know what hostname
you would have to "override" in /etc/hosts (were that supported) to
redirect Kerberos queries for a given realm to a particular IP address.

You can't even know whether DNS is used to look up the KDC or not without
looking at krb5.conf.

Despite the expectation which seems reasonable at first glance that
/etc/hosts could correctly be used to override a KDC in this way, in
fact it works only in a few special cases - the ones where DNS is
in use to find the KDC via SRV record *and* you can be 100% certain
that SRV record won't change.  Not so useful.

Rather than relying on this, if you want to hardcode your KDC address,
far better to turn off DNS lookup of the KDC, use krb5.conf, and be
entirely manual and predictable, instead of half-manual, half-predictable,
and half...donkeyed.

Thor

Re: How to disable DNS lookups?

[u-hd-phes]

On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
> Viktor Dukhovni  writes:
> > 2. Look up same name in DNS, return address(es) if found
> 
> > instead, in step 2, we may get undesirable, incorrect and/or costly
> > interactions with the stub resolver's domain search list.  The name in
> > the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
> > RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
> > name should not be subjected to the DNS search list.
> 
> Ah!  Thank you.  That helps me understand the problem you're trying to
> solve.

+1

Then the explicit trailing dots in /etc/hosts look indeed
like a reasonable trade-off.

Rune

Re: How to disable DNS lookups?

[Russ Allbery]

Viktor Dukhovni  writes:

> The problem is that we don't get:

>   1. Look up name from SRV in /etc/hosts, return address(es) if found
>   2. Look up same name in DNS, return address(es) if found

> instead, in step 2, we may get undesirable, incorrect and/or costly
> interactions with the stub resolver's domain search list.  The name in
> the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
> RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
> name should not be subjected to the DNS search list.

Ah!  Thank you.  That helps me understand the problem you're trying to
solve.

How often does this actually come up, though?  My understanding of how
domain search works is that the record returned by the SRV record would
have to not exist *and* some record formed by appending the local domain
to the name would have to exist.  That seems *extremely* unlikely,
although I guess the latter could match local wildcard entries if someone
was doing something weird.

> Furthermore, if a domain's KDC list is not locally administered, and
> you're delegating the KDC names to remotely administered DNS, local
> overrides of the address resolution are no less costly than just putting
> override kdcs in the [realms] section.  Indeed the latter is much less
> fragile.

Right, the point is not that you can't override with /etc/krb5.conf, the
point is that /etc/hosts normally overrides everything without having to
hunt down software-specific configuration files.

-- 
Russ Allbery (ea...@eyrie.org)  

Re: How to disable DNS lookups?

[Viktor Dukhovni]

> On Jul 26, 2017, at 5:37 AM, u-hd-p...@aetey.se wrote:
> 
> As Russ already pointed out, the DNS standard is not an authority
> which defines the behaviour of the applicable APIs. Of course widely used
> implementations may create "de-facto standards" but this discussion shows
> that there is no apparent consensus about how name lookup is supposed
> to happen.

The problem is that we don't get:

1. Look up name from SRV in /etc/hosts, return address(es) if found
2. Look up same name in DNS, return address(es) if found

instead, in step 2, we may get undesirable, incorrect and/or costly
interactions with the stub resolver's domain search list.  The name
in the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES
or RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal
that a name should not be subjected to the DNS search list.

Furthermore, if a domain's KDC list is not locally administered, and
you're delegating the KDC names to remotely administered DNS, local
overrides of the address resolution are no less costly than just
putting override kdcs in the [realms] section.  Indeed the latter
is much less fragile.

Heimdal should be optimized for correct and reliable operation in normal
use first, and debugging hooks second.  Thus I plan to partly revert the
changes in the "master" branch to ensure that names that are obtained
from SRV records are resolved without search list suffixes, by appending
"." in the getaddrinfo(3) hostname argument for such names.  This will
match the behaviour of the MIT implementation.

-- 
Viktor.

Re: How to disable DNS lookups?

[u-hd-phes]

On Tue, Jul 25, 2017 at 09:48:11PM -0400, Roland C. Dowdeswell wrote:
> On Tue, Jul 25, 2017 at 11:20:57PM +0200, u-hd-p...@aetey.se wrote:
> > > As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
> > > defined in DNS and does not consult /etc/hosts in the middle of a
> > 
> > You refer to a certain implementation which is not a specification
> > by itself. What do the applicable standards say?
> 
> Since we are discussing our processing of SRVs rather than CNAMEs, I'll
> limit my conversation to the relevant stanards for SRVs.

As Russ already pointed out, the DNS standard is not an authority
which defines the behaviour of the applicable APIs. Of course widely used
implementations may create "de-facto standards" but this discussion shows
that there is no apparent consensus about how name lookup is supposed
to happen.

So unless we find a relevant standard reference saying otherwise,
the least surprise approach should reflect the practice of treating
/etc/hosts as a part of service name resolution.

Note, it is "service names to endpoints resolution" which I mean,
irrespectively of which technologies (DNS/non-DNS) are being used
for the purpose and possibly behind the scenes.

Name-to-endpoint mapping data is traditionally spread across multiple
local and more or less global databases like /etc/hosts, /etc/services,
various DNS servers and more.

Is there an API specification which says "if a lookup implies
multiple steps and begins against a certain database instance, then
all of the possibly needed additional lookups must use the same
database instance (or the same technology/protocol/implementation?)"?
I may be wrong but I doubt this.

Regards,
Rune