Skip to content

net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver #51152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mateusz834 opened this issue Feb 11, 2022 · 7 comments
Closed

net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver #51152

mateusz834 opened this issue Feb 11, 2022 · 7 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@mateusz834
Copy link
Member

mateusz834 commented Feb 11, 2022
edited
Loading

The /etc/resolv.conf file often includes: options edns0 trust-ad. Golang does not recognize either of those options, so it fallbacks to the cgo reoslver.
I think that trust-ad should be silently ignored. Golang does not use the ad flag anywhere, so it should be safe to silently ignore that option and not cause fallback to the cgo resolver.
Edit: edns0 option
@cherrymui cherrymui changed the title net: silently ignore trust-ad option in /etc/resolv.conf not to cause fallback to the cgo resolver. net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver Feb 11, 2022
@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 11, 2022
@cherrymui cherrymui added this to the Backlog milestone Feb 11, 2022
@cherrymui
Copy link
Member

cc @ianlancetaylor @neild

@DasSkelett
Copy link

DasSkelett commented Feb 13, 2022
edited
Loading

This would make sense, Go doesn't have the ability to do DNSSEC validation, so there isn't any alternative to trusting the AD bit.

There is one difference in behavior for glibc with this option though: If it's set, glibc sets the AD bit in queries, otherwise it doesn't. Some DNS recursors might be configured to only do DNSSEC validation if the AD (or DO) bit is set, and otherwise return everything even if it's bogus. (see PowerDNS docs: dnssec=process)
So in theory this could lead to Go receiving bogus data while it would've been filtered for the CGO resolver.
In practice however I think this recursor behavior is getting rare, most of them are configured to always validate DNSSEC (regardless of AD/DO bit) nowadays.

@mateusz834
Copy link
Member Author

mateusz834 commented Feb 13, 2022
edited
Loading

Didn't know about that behavior, but it might make sense to follow the glibc implementation, and add the AD flag to queries when trust-ad is present.

@mateusz834
Copy link
Member Author

mateusz834 commented Feb 14, 2022
edited
Loading

Thanks for including that link to the PowerDNS docs. It is even the default behavior of PowerDNS since 4.5.0.
It can still affect programs when trust-ad is set and the go resolver is forced (via GODEBUG env), compiled statically without CGO or using the netgo flag.
I don't know if forcing the go resolver is common, but someone might be doing it.

@mateusz834 mateusz834 mentioned this issue May 25, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/408654 mentions this issue: dns/dnsmessage: add AD flag support

gopherbot pushed a commit to golang/net that referenced this issue Aug 9, 2022
@mateusz834 @neild
dns/dnsmessage: add AD and CD bits support
07c6da5 
For golang/go#51152

Change-Id: I1e348afaa1533849e682194efb1c404f9e678e56
GitHub-Last-Rev: c5ef8a5
GitHub-Pull-Request: #136
Reviewed-on: https://go-review.googlesource.com/c/net/+/408654
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
@mateusz834 mateusz834 mentioned this issue Sep 7, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/428955 mentions this issue: net: set AD bit in DNS queries when trust-ad in resolv.conf

WeiminShang added a commit to WeiminShang/net that referenced this issue Nov 16, 2022
@WeiminShang @neild
dns/dnsmessage: add AD and CD bits support
753e8c6 
For golang/go#51152

Change-Id: I1e348afaa1533849e682194efb1c404f9e678e56
GitHub-Last-Rev: c5ef8a56ad1d85645c95f25e719a476595063471
GitHub-Pull-Request: golang/net#136
Reviewed-on: https://go-review.googlesource.com/c/net/+/408654
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/451420 mentions this issue: doc/go1.20: add release notes for net package

gopherbot pushed a commit that referenced this issue Nov 18, 2022
@neild @gopherbot
doc/go1.20: add release notes for net package
6fc1f4f 
For #50101
For #51152
For #53482
For #55301
For #56515

Change-Id: I11edeb4be0a7f80fb72fd7680a3407d081f83b8b
Reviewed-on: https://go-review.googlesource.com/c/go/+/451420
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
@golang golang locked and limited conversation to collaborators Nov 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

net: set AD bit in DNS queries when trust-ad in resolv.conf mateusz834/go
4 participants
@gopherbot @cherrymui @mateusz834 @DasSkelett