-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: LookupNS() cannot be used to discover root name servers #45715
Comments
Ah. I see this issue has been prosecuted before in #12421 and #1167 and ultimately frozen due to age. On further reflection, it's not clear that First off, the test is at the wrong level as dnsclient_unix.go:Resolver.lookup() is not type-aware and thus can have no clue as to which types have what label constraints. Second off, RFC1034 is quite explicit about allowing any characters as labels in future possible query types ("The rationale for this choice is that we may someday need to add full binary domain names for new services") and only recommends restricting labels as a transitionary guideline ("the prudent user will select a name which satisfies both the rules of the domain system and any existing rules for the object, whether these rules are published or implied by existing programs"). Even if one were to view this prudence as a "MUST" in modern RFC parlance - shouldn't that be constrained on the database entry side of the process, not the database query side? Third, Finally, as others have noted, there is also the presumption of this code running on the public internet when in fact it should work perfectly well in a closed system; mDNS being the most obvious example. It is quite embarrassing having to inform my colleague, Charles André de Gaulle, that they have to change their name because it doesn't fit with the world view of what an office speaker-phone can be called. I suggest that |
CC @iangudger |
Is there a reason not to allow "." for all lookup types? |
While that would solve my immediate problem, I think the bigger question is whether |
I tried to fix that, but it got stuck in review: golang.org/cl/99623 |
Ok, that's quite a change, but if it does the job and also solves a few other issues, maybe that's the best approach. How do we push this code review forward? |
Mark, you may need to ping this again after 1.17 is released, as the tree is frozen until then. |
Will do. |
It should be possible to update x/net now and integrate the changes into the standard library after the freeze is lifted. |
Which I presume still means you need completion of the review for golang.org/cl/99623? |
That or an alternate approach. |
So there are two issues:
Questions are:
What do you think? |
We are fixing Allowing a wider set of characters than the ones used by the open Internet DNS is more complicated, because it turned out to be a footgun at least in responses (#46241). |
This is probably the fundamental issue and, as you say, quite an effort. I think just accepting "." seems like the least surprising change.
As the co-author of rfc7505 we were hoping NULL MX would get reasonable deployment to avoid the fallback to A RR that is part of SMTP. But checking some of the larger domains I used to administer I see that maybe it has fallen into disuse? So maybe "quite rare" is true today, but given that it's standardized behavior its deployment may ebb and flow. I for one use NULL MX on all my personal non-mail domains, if that helps :-) |
Change https://golang.org/cl/360314 mentions this issue: |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes, any recent release and on multiple platforms.
What did you do?
What did you expect to see?
$ go run gr.go
Works using '', giving 13
Works using '.', giving 13
Works using 'root-servers.net.', giving 13
I would expect at least one of the empty string or '.' to return the list of root name servers, much as is returned by the command
dig . ns
. I think I'd prefer '.' but both should result in a zero-length qname NS query sent to the local resolver.What did you see instead?
Which means the only way to get the root name servers is to use a hard-coded name, which while probably safe for the foreseeable future, is not as future-proof as the moral equivalent of
dig . ns
.The root cause (ahem) appears to be that
src/net/dnsclient.go:isDomainName()
disallows the singular "." and the empty string as valid domain names for any type of query, including NS.Alternatives
I'm happy to use an alternative mechanism within the net package, but a fairly decent look at the source code suggests that there are no lower-level functions which bypass
isDomainName()
.The text was updated successfully, but these errors were encountered: