Re: stack overflow in getaddrinfo(3) with a small-sized stack in pthreads
>> > |> DNS queries (via UDP) are limited to max 512, as that is what the >> > |> protocol always required, so can be handled by everything (or should >> > be). >> >> That disregards EDNS0, which in the DNS "in general" is pretty >> much universally supported these days. After all, it's nearly 20 >> years since it was standardized IIRC. > > Robert talks about queries, you talk about responses - or am I missing > something? They do not share this size limit. That may be the case. Sorry for the noise. - Håvard
Re: stack overflow in getaddrinfo(3) with a small-sized stack in pthreads
On Sat, Dec 04, 2021 at 11:20:26AM +0100, Havard Eidnes wrote: > > Joerg Sonnenberger wrote in > > : > > |On Mon, Nov 29, 2021 at 08:38:35PM +0700, Robert Elz wrote: > > |> DNS queries (via UDP) are limited to max 512, as that is what the > > |> protocol always required, so can be handled by everything (or should > > be). > > That disregards EDNS0, which in the DNS "in general" is pretty > much universally supported these days. After all, it's nearly 20 > years since it was standardized IIRC. Robert talks about queries, you talk about responses - or am I missing something? They do not share this size limit. Martin
Re: stack overflow in getaddrinfo(3) with a small-sized stack in pthreads
> Joerg Sonnenberger wrote in > : > |On Mon, Nov 29, 2021 at 08:38:35PM +0700, Robert Elz wrote: > |> DNS queries (via UDP) are limited to max 512, as that is what the > |> protocol always required, so can be handled by everything (or should be). That disregards EDNS0, which in the DNS "in general" is pretty much universally supported these days. After all, it's nearly 20 years since it was standardized IIRC. > RFC 1035 says > > 2.3.4. Size limits > ... > UDP messages512 octets or less > > If no EDNS is in use the answer should be pretty small also. > Also see RFC 2671, but i have forgotten about all that. I thought I would just interject here on a tangent that our resolv.conf has the possibility to have 'options edns0', which, BTW, is required if you really want ssh to trust DNSSEC-signed SSH fingerprints from the DNS to reduce the "trust-on-first-use" problem SSH otherwise has. So having a fixed-size buffer of 512 bytes for "DNS answers" to cover all cases is not going to work. Oh, yes, our documentation of the "edns0" option says it uses it to inform the DNS server of the receive buffer size, but the user is by the looks of it not given any lever to influence that buffer size, which, if recollection serves, is recommended not to have a size larger than 1280 or thereabouts to avoid fragmentation. Regards, - Håvar
