Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: LookupMX behaviour broken #46979

Closed
horkhe opened this issue Jun 30, 2021 · 16 comments
Closed

net: LookupMX behaviour broken #46979

horkhe opened this issue Jun 30, 2021 · 16 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone

Comments

@horkhe
Copy link

horkhe commented Jun 30, 2021

Change https://golang.org/cl/322230 introduced in release 1.16.5 and backported to 1.15.13, altered net.LookupMX behaviour that breaks the old contract in at least two ways:

  • Previously it returned ALL MX records, so users could filter out bad ones and connect to those that are valid. However now if a domain has at least one "bad" MX record none is returned along with &net.DNSError{Err: "MX target is invalid", Name: name} error.
  • If a domain has Null MX record (https://tools.ietf.org/html/rfc7505) configured then &net.DNSError{Err: "MX target is invalid", Name: name} is returned. So it is impossible to distinguish a domain explicitly forbidding SMTP connections from a domain with misconfigured MX records.

I believe users of net.LookupXXX family have come to expect that those methods return whatever DNS servers on the Internet have configured. We understand that those records can be incorrect and sometimes they are, but mostly due to human errors. Following the Robustness Principal we try to salvage useful pieces, ignore and/or auto-correct bad records. But this change robbed us of that option. So I think https://golang.org/cl/322230 is a regression and should be rolled back, alternatively you can provide net.RawLookupXXX methods, or add SkipVerify bool field to net.Resolver that would allow disabling verification of retrieved records.

@seankhliao
Copy link
Member

cc @rolandshoemaker

@seankhliao seankhliao added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Jun 30, 2021
@ianlancetaylor ianlancetaylor added this to the Go1.17 milestone Jun 30, 2021
@ianlancetaylor
Copy link
Member

These changes (https://golang.org/cl/323131 and cherry picks) were made to address a security issue. See #46241 and https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-33195.

Marking as release blocker for 1.17 to decide whether there is anything to change here.

CC @golang/osp-team @golang/security

@rsc
Copy link
Contributor

rsc commented Jun 30, 2021

@horkhe do you have an example of why a server would legitimately return a set of MX records with some "invalid" ones, or do you have an example of any real-world servers doing that? That is, what breaks due to the filtering?

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/332094 mentions this issue: net: don't reject null mx records

@FiloSottile
Copy link
Contributor

@horkhe do you have an example of why a server would legitimately return a set of MX records with some "invalid" ones, or do you have an example of any real-world servers doing that? That is, what breaks due to the filtering?

To be clear, invalid even after we fix validation to allow null records.

@FiloSottile
Copy link
Contributor

FiloSottile commented Jun 30, 2021

@gopherbot please open a backport issue for Go 1.16, this is a regression in the last minor release.

@gopherbot
Copy link
Contributor

gopherbot commented Jun 30, 2021

Backport issue(s) opened: #46999 (for 1.16).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@horkhe
Copy link
Author

horkhe commented Jul 1, 2021

@rcs full disclosure, I am a developer from Mailgun by Pathwire. We send emails... quite a few of them. Obviously we query MX records a lot. Occasionally we see domains that have several MX records sprinkled with invalid ones. Those are obviously human errors. I cannot really give you a real world example of those records, but here is a domain that I created to run tests - test-unicode.definbox.com. It was inspired by a real configuration that we stumbled up on in our line of business. The original domain has already been fixed by the owner.

So the answer to your question is: there is no legitimate reason to configure a bad record, but one human error should not prevent users from seen all the correct MX records if any.

Thanks a lot for a quick turn around on this issue.

@dmitshur
Copy link
Contributor

dmitshur commented Jul 1, 2021

@FiloSottile If I understand correctly, Go 1.15 is also affected, and so it also needs a backport candidate. Opened #47012.

gopherbot pushed a commit that referenced this issue Jul 1, 2021
Bypass hostname validity checking when a null mx record is returned as,
defined in RFC 7505.

Updates #46979

Change-Id: Ibe683bd6b47333a8ff30909fb2680ec8e10696ef
Reviewed-on: https://go-review.googlesource.com/c/go/+/332094
Trust: Roland Shoemaker <[email protected]>
Trust: Katie Hockman <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/332371 mentions this issue: [release-branch.go1.16] net: don't reject null mx records

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/332372 mentions this issue: [release-branch.go1.15] net: don't reject null mx records

@rsc
Copy link
Contributor

rsc commented Jul 1, 2021

@horkhe Thanks for the extra information.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/332549 mentions this issue: net: filter bad names from Lookup functions instead of hard failing

gopherbot pushed a commit that referenced this issue Jul 8, 2021
Bypass hostname validity checking when a null mx record is returned as,
defined in RFC 7505.

Updates #46979
Updates #46999

Change-Id: Ibe683bd6b47333a8ff30909fb2680ec8e10696ef
Reviewed-on: https://go-review.googlesource.com/c/go/+/332094
Trust: Roland Shoemaker <[email protected]>
Trust: Katie Hockman <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
(cherry picked from commit 03761ed)
Reviewed-on: https://go-review.googlesource.com/c/go/+/332371
Run-TryBot: Katie Hockman <[email protected]>
gopherbot pushed a commit that referenced this issue Jul 8, 2021
Bypass hostname validity checking when a null mx record is returned as,
defined in RFC 7505.

Updates #46979
Updates #47012

Change-Id: Ibe683bd6b47333a8ff30909fb2680ec8e10696ef
Reviewed-on: https://go-review.googlesource.com/c/go/+/332094
Trust: Roland Shoemaker <[email protected]>
Trust: Katie Hockman <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
(cherry picked from commit 03761ed)
Reviewed-on: https://go-review.googlesource.com/c/go/+/332372
Run-TryBot: Katie Hockman <[email protected]>
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/333330 mentions this issue: [release-branch.go1.16] net: filter bad names from Lookup functions instead of hard failing

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/333331 mentions this issue: [release-branch.go1.15] net: filter bad names from Lookup functions instead of hard failing

gopherbot pushed a commit that referenced this issue Jul 8, 2021
…nstead of hard failing

Instead of hard failing on a single bad record, filter the bad records
and return anything valid. This only applies to the methods which can
return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr.

When bad results are filtered out, also return an error, indicating
that this filtering has happened.

Updates #46241
Updates #46979
Fixes #46999

Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171
Reviewed-on: https://go-review.googlesource.com/c/go/+/332549
Trust: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
(cherry picked from commit 296ddf2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/333330
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Go Bot <[email protected]>
gopherbot pushed a commit that referenced this issue Jul 8, 2021
…nstead of hard failing

Instead of hard failing on a single bad record, filter the bad records
and return anything valid. This only applies to the methods which can
return multiple records, LookupMX, LookupNS, LookupSRV, and LookupAddr.

When bad results are filtered out, also return an error, indicating
that this filtering has happened.

Updates #46241
Updates #46979
Fixes #47012

Change-Id: I6493e0002beaf89f5a9795333a93605abd30d171
Reviewed-on: https://go-review.googlesource.com/c/go/+/332549
Trust: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
(cherry picked from commit 296ddf2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/333331
Run-TryBot: Roland Shoemaker <[email protected]>
@dmitshur dmitshur removed the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Jul 8, 2021
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 8, 2021
@horkhe
Copy link
Author

horkhe commented Jul 13, 2021

Thank you, guys!

@golang golang locked and limited conversation to collaborators Jul 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Development

No branches or pull requests

7 participants