net: add EDNS0 support to builtin DNS stub resolver #6464
Labels
Milestone
Comments
|
+1 Ran into this while debugging a problem with pulling Docker images: we were unable to pull an image due to a DNS resolution error. It turns out our router was forwarding up to 4k DNS responses regardless of the state of the EDNS0 flag, and the Go DNS package was (correctly to the spec) choking on the larger than expected message. The ultimate fix was for the router itself, setting the window to back down to the RFC correct 512 byte size. Again, this is not a bug with the Go implementation of DNS, but considering how broadly used EDNS0 is for avoiding a fallback to TCP for large DNS responses (which are more and more common), it might be worth implementing the EDNS0 DNS extension if only for that feature. |
|
I still hesitate to say "yup, that's the way to go" because we are already not innocent.
I also understand that EDNS0 would be pretty useful under the well-configured, managed and secured environment. In addition, DNS stub resolver perhaps might avoid being affected by various attacks based on UDP over IP fragmentation. I mean, with DNSSEC it sounds pretty reasonable, but in other cases... still thinking. |
mikioh
changed the title
|
Related to #13279 |
|
CL https://golang.org/cl/47170 mentions this issue. |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Mar 30, 2018
This change introduces OPTResourse type to support DNS messages containing various extension options as defined in RFC 6891. Parsing and building OPT pseudo records requires allocations like TXT records. Also adds DNSSECAllowed, ExtendedRCode and SetEDNS0 methods to ResourceHeader for convenience. Updates golang/go#6464. Updates golang/go#16218. Change-Id: Ib72cea277201e4122c6b5effa320084ff351c886 Reviewed-on: https://go-review.googlesource.com/47170 Reviewed-by: Ian Gudger <[email protected]>
sgreene570
added a commit
to sgreene570/cluster-dns-operator
that referenced
this issue
Jun 2, 2021
The CoreDNS bufsize plugin was enabled with a set size of 1232 bytes in order to ensure that outbound DNS queries contain EDNS OPT Resource Records, which resolved Bug 1949361. Some DNS Clients, such as Go's built-in stub DNS resolver, are not capable of handling DNS UDP messages that are larger than 512 bytes (even if the proper EDNS flags are included in the message). See golang/go#13561 & golang/go#6464 accordingly. This commit configures the bufsize plugin with a reduced bufsize of 512 bytes for all servers to ensure compatibility with primitive DNS clients. pkg/operator/controller/controller_dns_configmap.go: Set bufsize to 512 bytes for all servers. pkg/operator/controller/controller_dns_configmap_test.go: Update unit test cases. This commit is in support of Bug 196616 and should not cause any regression from the changes merged as a part of Bug 1949361.
sgreene570
added a commit
to sgreene570/cluster-dns-operator
that referenced
this issue
Jun 2, 2021
The CoreDNS bufsize plugin was enabled with a set size of 1232 bytes in order to ensure that DNS queries bound for an upstream resolver contain EDNS OPT Resource Records. This resolved Bug 1949361. Some DNS Clients, such as Go's built-in stub DNS resolver, are not capable of handling DNS UDP messages that are larger than 512 bytes (even if the proper EDNS flags are included in the message). See golang/go#13561 & golang/go#6464 accordingly. This commit configures the bufsize plugin with a reduced bufsize of 512 bytes for all servers to ensure compatibility with primitive DNS clients. pkg/operator/controller/controller_dns_configmap.go: Set bufsize to 512 bytes for all servers. pkg/operator/controller/controller_dns_configmap_test.go: Update unit test cases. This commit is in support of Bug 196616 and should not cause any regression from the changes merged as a part of Bug 1949361.
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/cluster-dns-operator
that referenced
this issue
Jun 3, 2021
The CoreDNS bufsize plugin was enabled with a set size of 1232 bytes in order to ensure that DNS queries bound for an upstream resolver contain EDNS OPT Resource Records. This resolved Bug 1949361. Some DNS Clients, such as Go's built-in stub DNS resolver, are not capable of handling DNS UDP messages that are larger than 512 bytes (even if the proper EDNS flags are included in the message). See golang/go#13561 & golang/go#6464 accordingly. This commit configures the bufsize plugin with a reduced bufsize of 512 bytes for all servers to ensure compatibility with primitive DNS clients. pkg/operator/controller/controller_dns_configmap.go: Set bufsize to 512 bytes for all servers. pkg/operator/controller/controller_dns_configmap_test.go: Update unit test cases. This commit is in support of Bug 196616 and should not cause any regression from the changes merged as a part of Bug 1949361.
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/cluster-dns-operator
that referenced
this issue
Jun 9, 2021
The CoreDNS bufsize plugin was enabled with a set size of 1232 bytes in order to ensure that DNS queries bound for an upstream resolver contain EDNS OPT Resource Records. This resolved Bug 1949361. Some DNS Clients, such as Go's built-in stub DNS resolver, are not capable of handling DNS UDP messages that are larger than 512 bytes (even if the proper EDNS flags are included in the message). See golang/go#13561 & golang/go#6464 accordingly. This commit configures the bufsize plugin with a reduced bufsize of 512 bytes for all servers to ensure compatibility with primitive DNS clients. pkg/operator/controller/controller_dns_configmap.go: Set bufsize to 512 bytes for all servers. pkg/operator/controller/controller_dns_configmap_test.go: Update unit test cases. This commit is in support of Bug 196616 and should not cause any regression from the changes merged as a part of Bug 1949361.
|
Change https://go.dev/cl/385035 mentions this issue: |
|
Change https://go.dev/cl/385374 mentions this issue: |
|
Change https://go.dev/cl/385375 mentions this issue: |
|
Change https://go.dev/cl/386015 mentions this issue: |
|
Change https://go.dev/cl/386016 mentions this issue: |
|
Change https://go.dev/cl/386014 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Feb 15, 2022
This reverts https://go.dev/cl/385035. For 1.18 we will use a simple change to increase the accepted DNS packet size, to handle what appear to be broken resolvers that don't honor the 512 byte limit. For 1.19 we will restore CL 385035 to make a proper EDNS request, so that it has more testing time before it goes out in a release. For #6464 For #21160 For #44135 For #51127 For #51153 Change-Id: Ie4a0eb85ca0a6a73bee5cd4cfc6b7d2a15ef259f Reviewed-on: https://go-review.googlesource.com/c/go/+/386014 Trust: Ian Lance Taylor <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Reviewed-by: Damien Neil <[email protected]>
|
Change https://go.dev/cl/386034 mentions this issue: |
|
Change https://go.dev/cl/386035 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Feb 15, 2022
The existing value of 512 bytes as is specified by RFC 1035. However, the WSL resolver reportedly sends larger packets without setting the truncation bit, which breaks using the Go resolver. For 1.18 and backports, just increase the accepted packet size. This is what GNU glibc does (they use 65536 bytes). For 1.19 we plan to use EDNS to set the accepted packet size. That will give us more time to test whether that causes any problems. No test because I'm not sure how to write one and it wouldn't really be useful anyhow. Fixes #6464 Fixes #21160 Fixes #44135 Fixes #51127 For #51153 Change-Id: I0243f274a06e010ebb714e138a65386086aecf17 Reviewed-on: https://go-review.googlesource.com/c/go/+/386015 Trust: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Feb 17, 2022
…1232 bytes The existing value of 512 bytes as is specified by RFC 1035. However, the WSL resolver reportedly sends larger packets without setting the truncation bit, which breaks using the Go resolver. For 1.18 and backports, just increase the accepted packet size. This is what GNU glibc does (they use 65536 bytes). For 1.19 we plan to use EDNS to set the accepted packet size. That will give us more time to test whether that causes any problems. No test because I'm not sure how to write one and it wouldn't really be useful anyhow. For #6464 For #21160 For #44135 For #51127 For #51153 Fixes #51162 Change-Id: I0243f274a06e010ebb714e138a65386086aecf17 Reviewed-on: https://go-review.googlesource.com/c/go/+/386015 Trust: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit 6e82ff8) Reviewed-on: https://go-review.googlesource.com/c/go/+/386035 Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Feb 17, 2022
…1232 bytes The existing value of 512 bytes as is specified by RFC 1035. However, the WSL resolver reportedly sends larger packets without setting the truncation bit, which breaks using the Go resolver. For 1.18 and backports, just increase the accepted packet size. This is what GNU glibc does (they use 65536 bytes). For 1.19 we plan to use EDNS to set the accepted packet size. That will give us more time to test whether that causes any problems. No test because I'm not sure how to write one and it wouldn't really be useful anyhow. For #6464 For #21160 For #44135 For #51127 For #51153 Fixes #51161 Change-Id: I0243f274a06e010ebb714e138a65386086aecf17 Reviewed-on: https://go-review.googlesource.com/c/go/+/386015 Trust: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit 6e82ff8) Reviewed-on: https://go-review.googlesource.com/c/go/+/386034 Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Mar 3, 2022
Advertise to DNS resolvers that we are willing and able to accept up to 1232 bytes in a DNS packet. The value 1232 was chosen based on https://dnsflagday.net/2020/. For #6464 For #21160 For #44135 For #51127 Fixes #51153 Change-Id: If9182d5210bfe047cf0a4d46163effc6812ab677 Reviewed-on: https://go-review.googlesource.com/c/go/+/386016 Trust: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The text was updated successfully, but these errors were encountered: