Mailing List Archive: Qmail: users

Oversize DNS patch - obsolete?

Index | Next | Previous | View Threaded

up at 3

Jun 26, 2009, 9:10 AM

Post #1 of 16 (4340 views)
Permalink

Oversize DNS patch - obsolete?

I've run this patch on most of my servers for years with no problems. On
one of my servers that wasn't running it, I did find myself with problems
receiving email from AOL and others...I'm talking just a few years ago,
not when this first popped up a decade or so ago.

I'm now installing qmail from FreeBSD ports on a new server, and ports is
offering me all of the patches I could want and more...except I see
nothing about the dns.c patch.

Question is: Is it still necessary? Bear in mind that I will not be
running djbdns, but BIND 9.

Thanks!

James Smallacombe PlantageNet, Inc. CEO and Janitor
up [at] 3 http://3.am
=========================================================================

kyle-qmail at memoryhole

Jun 26, 2009, 9:51 AM

Post #2 of 16 (4215 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Friday, June 26 at 12:10 PM, quoth up [at] 3:
> I'm now installing qmail from FreeBSD ports on a new server, and
> ports is offering me all of the patches I could want and
> more...except I see nothing about the dns.c patch.
>
> Question is: Is it still necessary? Bear in mind that I will not be
> running djbdns, but BIND 9.

Personally, I think it is probably still just as necessary as it was
in the past.

You can take that statement a few ways; for example, maybe it was
never necessary, because you could argue that domains who returned
enormous DNS packets were broken, and they could be worked-around with
the smtproutes file. Or maybe it was never *necessary* because the
better option was to use the djbdns client library, which didn't
require the client application to allocate buffer space manually.

But nothing about the world of DNS has changed that would prevent
domains from using large DNS packets. Oversize DNS isn't widespread,
and AOL's servers no longer return huge packets (for now), but there's
nothing preventing them from doing that in the future, and there's
nothing to say that you won't find a domain here and there that
returns enormous DNS packets.

Anyway... where do you not see it in FreeBSD ports? I see it here:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/qmail/distinfo?rev=1.73
(qmail-103.patch - lousy name, but that's what it's called) It's also
in the Makefile:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/qmail/Makefile?rev=1.141

.if !defined(BARRIER_DNS_PATCH)
# Patch necessary to cope with non-RFC >512 dns entries
# Since AOL has been using those, the problem has skyrocketed from
# minor to groundzero. qmail being RFC compliant needs to be
# "fixed" to work with those
PATCH_SITES+= http://www.ckdhr.com/ckd/:dns
PATCHFILES+= qmail-103.patch:dns
.endif

So... I guess you're just not looking in the right places?

~Kyle
- --
The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding.
-- Brandeis
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKRPymAAoJECuveozR/AWe1O8P/2dfPWkUWqh9stxXjaXwVLPd
VZk02Fp/yIv5jAalNI0hU16NFFmf7ka45bwEDoUIQjY+Vo8+sbI+kVfiFO5ELZJ0
+F8Rm7RV4d3QG+w5kpdl3p6xaZR+86bxv+MwlR9mXItVcJLxHsqSzVS9taT2wEBi
ko4/l8ggeL0+a81jX5zwHs532COIzNK9aUdcw8VL3977qG4RevDOOa5QyhFuV55d
K2rEzMViX/BGvz0TO2p5Pc1pRyW2U7ePPU3X2sL5zEnCjJT4uF/DoZzRDSydmlOV
vxSIumib6/anEjLkq+ahpwQd5lCCUdMgCPq4xym/6Gq7f7QHQlSAQhoy6hZv2cvT
eaBAN9O3I8TlCuNmGmeaqNjAXnRPIzCuEF+WUSL3xipJ3epMctDdmHA2U73fCjGE
BBNH+2FbBCWrXfsrN+N+dt739dHR1dIKi98ihO4GUquHPdxWV6NFHC1kxSGgyFvy
Bagbt0+YkLFxiWNNwLOY5QeOqKTDBKR04wSluiUd6rWv95CZrMEGASB0Upyg9ZYC
RnOYszJvGd25ts3q+t3fOlLWmZYgyMtykPJnsVldc8mVkcdaK4jGIz56mtdKhP/B
MZnDcWGBie5v7fa0f9b+ho2GRoQrPCoFzAU7lewvVRE7ekMZLAjTYhqgn05iNvv+
sEoFujq5b4M58sTHwvk4
=/6Rt
-----END PGP SIGNATURE-----

lists-qmail at maexotic

Jun 26, 2009, 10:42 AM

Post #3 of 16 (4215 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

On Fri, Jun 26, 2009 at 12:10:09PM -0400, up [at] 3 wrote:
> Question is: Is it still necessary? Bear in mind that I will not be
> running djbdns, but BIND 9.

Yes it is.
Just had problems a few weeks ago getting mail to my domain from a qmail
system querying a BIND DNS server, due to the fact that I had added
DNSSEC records for testing purposes.
The messages bounced back with the wellknown "CNAME lookup failed temporarily."
message.

\Maex

feh at fehcom

Jun 27, 2009, 2:20 AM

Post #4 of 16 (4196 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

Hi,

Am 26.06.2009, 17:10 Uhr, schrieb <up [at] 3>:

>
> I'm now installing qmail from FreeBSD ports on a new server, and ports
> is offering me all of the patches I could want and more...except I see
> nothing about the dns.c patch.

In case you are inclined to use the qmail+spamcontrol port from FreeBSD --
yes it includes the dns.c patch.

>
> Question is: Is it still necessary? Bear in mind that I will not be
> running djbdns, but BIND 9.

AFIK Yes.

regards.
--eh.

>
> Thanks!
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up [at] 3 http://3.am
> =========================================================================
>

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de

bh at izb

Jun 27, 2009, 10:43 AM

Post #5 of 16 (4199 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

up [at] 3 writes:

> I've run this patch on most of my servers for years with no problems.
> On one of my servers that wasn't running it, I did find myself with
> problems receiving email from AOL and others...I'm talking just a few
> years ago, not when this first popped up a decade or so ago.
>
> I'm now installing qmail from FreeBSD ports on a new server, and ports
> is offering me all of the patches I could want and more...except I see
> nothing about the dns.c patch.
>
> Question is: Is it still necessary? Bear in mind that I will not be
> running djbdns, but BIND 9.
>
> Thanks!
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up [at] 3 http://3.am
> =========================================================================

(Somewhat, this is off topic.)

bh [at] betl:/usr/ports/mail/qmail> make -V MAINTAINER
garga [at] FreeBSD

From now on, you would be better being Cc'd the maintainer, garga [at] FreeBS
;;

--
Byung-Hee HWANG, KNU
∑ WWW: http://izb.knu.ac.kr/~bh/

qmail at jfoo

Jun 29, 2009, 9:06 AM

Post #6 of 16 (4186 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

Markus Stumpf wrote:
> On Fri, Jun 26, 2009 at 12:10:09PM -0400, up [at] 3 wrote:
>
>> Question is: Is it still necessary? Bear in mind that I will not be
>> running djbdns, but BIND 9.
>>
>
> Yes it is.
> Just had problems a few weeks ago getting mail to my domain from a qmail
> system querying a BIND DNS server, due to the fact that I had added
> DNSSEC records for testing purposes.
> The messages bounced back with the wellknown "CNAME lookup failed temporarily."
> message.
>
>

I'm not 100% sure of this, but I had similar troubles sending
to comcast.net recently. I patched my qmail and can now send
there. It's possible that the CNAME lookup failed temporarily
was due to some other reason, or that they fixed it, of course.

Consider this a vote for the patch being included in netqmail 1.07

j

amb-1166294724 at bradfords

Jul 5, 2009, 9:00 AM

Post #7 of 16 (4085 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

Thus said Kyle Wheeler on Fri, 26 Jun 2009 11:51:51 CDT:

> But nothing about the world of DNS has changed that would prevent
> domains from using large DNS packets. Oversize DNS isn't widespread,
> and AOL's servers no longer return huge packets (for now), but there's
> nothing preventing them from doing that in the future, and there's
> nothing to say that you won't find a domain here and there that
> returns enormous DNS packets.

I recently discovered this monstrosity:

$ dnsq any openswan.org ns2.xelerance.net
255 openswan.org:
2548 bytes, 1+21+0+0 records, response, authoritative, noerror
query: 255 openswan.org

Andy
--
[-----------[system uptime]--------------------------------------------]
10:00am up 28 min, 1 user, load average: 1.14, 1.17, 1.08

kyle-qmail at memoryhole

Jul 5, 2009, 9:15 AM

Post #8 of 16 (4072 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sunday, July 5 at 10:00 AM, quoth Andy Bradford:
>Thus said Kyle Wheeler on Fri, 26 Jun 2009 11:51:51 CDT:
>
>> But nothing about the world of DNS has changed that would prevent
>> domains from using large DNS packets. Oversize DNS isn't widespread,
>> and AOL's servers no longer return huge packets (for now), but there's
>> nothing preventing them from doing that in the future, and there's
>> nothing to say that you won't find a domain here and there that
>> returns enormous DNS packets.
>
>I recently discovered this monstrosity:
>
>$ dnsq any openswan.org ns2.xelerance.net
>255 openswan.org:
>2548 bytes, 1+21+0+0 records, response, authoritative, noerror
>query: 255 openswan.org

Indeed!

That's probably *also* a good argument for using the one-line patch to
make qmail use a CNAME query instead of an ANY query (it's an old
bodge around a BIND 4 bug).

~Kyle
- --
I have not failed. I've just found 10,000 ways that won't work.
-- Thomas Edison
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKUNGoAAoJECuveozR/AWegZ4QAInDPbkH6wsXaSCk9ZVYrGDM
YhU69dgBvKjvqkpthL3Z+23HyTO4x3vyetRE0R6JewDCXwHmWwfFC7uJgYpJgfTA
dg5RQjdu/HPy0wVRDNik66ba/Azneh2OsNwK2Q9s9NWELpTDHDnCyGu9GwmJA7jq
0vSFHBokbaQU0RpDtEEJNYN8ooVEJ0z+DbDI6JDZksD3wcfsmjmhRubN9yEWyweD
BsVGmOSDGBcELfMvU8K6tMmbKIk70exrbVxY5jxRSTfYdxgk+Jpt2SLLqn2ImS5K
sh26mebaey03d8CIljlQWwSUnjE2DlYRCR3IHIeU4A7vZ+4hj/lGkkm5Gmq7+QYw
LJk4TnuMNCYJStnbugGYRxFE67xcoCBRDc8P4ewkMdKCQwMUhG2CebptxWXX8YAZ
eDHvLF/lSlWtGmTFf4Wwe5kwB2DwGXAWbBhfA6hXMTBzc0fcVqENmQn2DpMZL6HE
j+zkHDIZcx15+ayOYeVvvZKeh1BXegRPmgmEkcVWs9M0b9UItRwoAjLCIWpcqx8f
nDj2Iu2o9ItubbRq75xRa8rpro1NHOspz/6OkQI00v4gCiKc+1+NIKcChROlP3Dz
J3VsXe1NI6v7g60sLStG4MjxN5RJJt+zg4UDsQ+SeQqcYJywYk0XyLBWdMaDcO19
nsvrqGnBNMtYtd6ntOtZ
=0n+0
-----END PGP SIGNATURE-----

lists-qmail at maexotic

Jul 5, 2009, 11:32 AM

Post #9 of 16 (4083 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

On Sun, Jul 05, 2009 at 10:00:34AM -0600, Andy Bradford wrote:
> I recently discovered this monstrosity:

As DNSSEC gets more widely used you will see more and more of those.
ANY answers the size of 2-3K will become standard.

\Maex

matthew at dempsky

Jul 5, 2009, 5:33 PM

Post #10 of 16 (4085 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

On Sun, Jul 5, 2009 at 9:15 AM, Kyle Wheeler<kyle-qmail [at] memoryhole> wrote:
> That's probably *also* a good argument for using the one-line patch to
> make qmail use a CNAME query instead of an ANY query (it's an old
> bodge around a BIND 4 bug).

As RFC 2821 (April 2001) no longer requires these queries, another
solution is to just remove them completely (see patch below).

My intuition is that users/sites no longer rely on this functionality.
As a quick experiment, I setup box.x.dempsky.org with a CNAME record
pointing to dempsky.org and tried sending an email to
matthew [at] box via gmail. The message bounced rather than
being rewritten to matthew [at] dempsky

--- qmail-remote.c.orig Sun Jul 5 17:13:53 2009
+++ qmail-remote.c Sun Jul 5 17:14:01 2009
@@ -374,7 +374,7 @@
while (*recips) {
if (!saa_readyplus(&reciplist,1)) temp_nomem();
reciplist.sa[reciplist.len] = sauninit;
- addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,!relayhost);
+ addrmangle(reciplist.sa + reciplist.len,*recips,&flagalias,0);
if (!flagalias) flagallaliases = 0;
++reciplist.len;
++recips;

kyle-qmail at memoryhole

Jul 6, 2009, 10:06 AM

Post #11 of 16 (4059 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sunday, July 5 at 05:33 PM, quoth Matthew Dempsky:
>On Sun, Jul 5, 2009 at 9:15 AM, Kyle Wheeler<kyle-qmail [at] memoryhole> wrote:
>> That's probably *also* a good argument for using the one-line patch to
>> make qmail use a CNAME query instead of an ANY query (it's an old
>> bodge around a BIND 4 bug).
>
>As RFC 2821 (April 2001) no longer requires these queries, another
>solution is to just remove them completely (see patch below).

Unfortunately, while I sympathize with the desire, that's probably a
bad idea. RFC 2821 is merely a "proposed standard", while 821 is a
"standard". The distinction is... well, open to interpretation and
argument, but whether you like it or not, software will rely on
obscure details of old standards (like 821) until there is a pressing
need to abandon them. Removing this query may not cause problems for
your system, but could very well cause random problems that are hard
to anticipate, particularly in the general case.

> My intuition is that users/sites no longer rely on this
> functionality. As a quick experiment, I setup box.x.dempsky.org with
> a CNAME record pointing to dempsky.org and tried sending an email to
> matthew [at] box via gmail. The message bounced rather
> than being rewritten to matthew [at] dempsky

Gmail is NOT the benchmark of correct email implementations. For
example, their IMAP implementation has some rather flagrant and
egregious errors in handling character set encoding (i.e. they emit
invalid encodings in certain situations). It is not surprising to me
that their SMTP implementation has flaws as well.

Keep in mind what Gmail is used for: personal email, usually from one
person to another. General-purpose email has many other use-cases,
including a wide variety of automated messages (NNTP gateways, SMS
notification, log monitoring, etc.) that will never rely on Gmail's
correctness, but can easily rely on qmail/sendmail/postfix's
correctness.

Quick tests like this are not sufficient basis for changing behavior.
See the eternal argument about greeting error codes
(http://www.memoryhole.net/qmail/#rfc2821) if you want to be reminded
of what can happen when we base email policy on a
implementation-specific behavior.

~Kyle
- --
Racism is man's greatest threat to man---the maximum of hatred for a
minimum of reason.
-- Abraham Joshua Heschel
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKUi8RAAoJECuveozR/AWeLxQQAJvLI3b4rczo3c0hx42GX/Xu
N2PPbXvZQ2L0mxgGzaUL/iiHGumoLfh7SDHxTCrInSuskWIziy/WAv+pYobsZ3EW
e0cDF9MVpGMX1dgaDn7yaJ9hzLQ03/WPgcZJ3/SmMjzub0EfSPbZT8mqUCe5vpyN
EnmJW1XTUriYow15r30rvLIExvN7f997qVXoAjMbwH+QD6WANbixqhzxW8aHJ7e3
Xh9mlgIW2jv6V7xGPlfvzmMKO3MoNFsutjKGYg3kF9aFOPmB+U0t+cCw2l4u9uIq
sVz8QbLo7r1P/Ayz+HfdIeOnpNG+9TCUIBWkNn3aXSxhZo/KC+VoakjB15ypUCPV
6C52GxrkppczPoA4e4GHUIbPWNipN2d8H9nYAijp6x/VjUUgmGWEvlyTIAvHnefB
zTfCYGxIVyLu5Ql1XlaQzFSGtRQoQ0Gkq9yFOhgfJtU0va7swlOscrOHf2ThVIg9
5hXXYf2QeOse0JFwfFwjUbEcayZ5iScJy0wdjSUrLkrA6O1nf2faOIYGFxRUVt8s
tp9QTOFKZoMhqWrlF5SOB61NQdDHoYM6HQe756NCefL5qo1XqXjZNrpEb4V/b17S
uqLEbGRRc/N8VYTcMEbcMxCrDkJiIDZvkIJ7Z9JwkFalZ16hEqpnhcMP9LEKO2rh
wr5OLr1pBlQuQThLvK4E
=6e/+
-----END PGP SIGNATURE-----

matthew at dempsky

Jul 6, 2009, 11:12 AM

Post #12 of 16 (4062 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

On Mon, Jul 6, 2009 at 10:06 AM, Kyle Wheeler<kyle-qmail [at] memoryhole> wrote:
> but can easily rely on qmail/sendmail/postfix's correctness.

Postfix hasn't done this in over 6 years, according to the changelog:

[Incompat 20021209] The Postfix SMTP client no longer expands CNAMEs
in MAIL FROM or RCPT TO addresses (as permitted by RFC 2821). This
eliminates one DNS lookup per sender and recipient, and can make
a dramatic difference when sending mailing list mail via a relayhost.

Sendmail has a DontExpandCnames option, though it's off by default.

amb-1166294724 at bradfords

Jul 14, 2009, 8:43 PM

Post #13 of 16 (3923 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

Thus said Markus Stumpf on Sun, 05 Jul 2009 20:32:23 +0200:

> As DNSSEC gets more widely used you will see more and more of those.
> ANY answers the size of 2-3K will become standard.

I honestly hope/believe that DNSSEC will never be widely adopted. I'm
also hoping that DNSCurve will win out since it seems to be superior on
many fronts.

Of course I always run dnscache on any qmail server, so large packets
are not an issue anyway.

Andy
--
[-----------[system uptime]--------------------------------------------]
9:43pm up 16 min, 1 user, load average: 1.11, 1.14, 0.83

kyle-qmail at memoryhole

Jul 14, 2009, 9:05 PM

Post #14 of 16 (3941 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tuesday, July 14 at 09:43 PM, quoth Andy Bradford:
> Of course I always run dnscache on any qmail server, so large
> packets are not an issue anyway.

That's not true.

It *is* true that dnscache strips out unnecessary information from DNS
responses, so its answers are typically smaller and allow you to avoid
the problem in many cases. Historically, using dnscache has mitigated
the large-packet issue for most people because of this trimming.

But dnscache is NOT a cure-all that relieves clients (e.g. qmail) of
any need to deal with large responses. For something like the
mountaingeardirect.com issue, for example, dnscache is REQUIRED to
provide the full response to the query.

Prove it to yourself:

dig mountaingeardirect.com mx @127.0.0.1

Here's what I get:

[snip]
;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 14 22:52:23 2009
;; MSG SIZE rcvd: 5498

I got every last one of those 5498 bytes. I *have* to; otherwise
dnscache would be considered broken. It would be unable to handle
perfectly legal large records (including DNSSEC records, or whatever
else people choose to put into DNS someday).

The 512-byte limit that qmail assumes is a UDP limit, not a DNS limit
(in fact, the DNS RFC explicitly points out that the TCP length is a
two-byte field for extra large packets). Since DNS can be transmitted
over TCP to avoid that packet size limit, large responses are
perfectly legal (if somewhat absurd and annoying).

Strictly speaking, vanilla qmail's limitation to using only 512 bytes
worth of DNS is a *bug*. It's a bug that is typically only triggered
when someone does something really stupid with their DNS setup, but it
is a bug. Large DNS responses are legal, no matter how goofy they are.

~Kyle
- --
The borrower is the slave of the lender.
-- Proverbs 22:7
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKXVVxAAoJECuveozR/AWea/cP/3RFWiDU1Ewl48bwFFhlgZER
JADUj83xmhDPqK+RHULQ2HJlRsx1ZUl5RZ9RKBY29IvADW+BwMIuQ61+iUpqA9b9
ohdei7UqgTlzvwS2UoJufheXHoZrzwHadRr1fZSJtzhMD0TA6jKdbl8tA4wlhEaN
P1aYvF8yc6ryqeaI6o7WGRQ8+Nz8EbAOz7OyIuYG9pwPZQDtEHTpKsFCHFvZUI+7
AmEJG/4keSirryGJd+l4FzOgs3TKDF2lylU8BMsFyBlTpvABDwf+hidZr2Tje5qt
/9/DtNacnZAyzhQIYTsFv4MWCC3OJUzhKlEcWwB8XpLrBPk6WBIM/u4Qkea7vpOk
ha9DG8odZafMGb2WKpd2JaejHhuA2akEIuop7HMXtTzlDee0JK1QPBZlG41K0GT3
Sc+CJ3xLDrXn8+FJwFBlNw+nvl4ey49DQF0o5iiszc2tDWZa2ycBFLndundXghV9
iFUcL++p/qD2ayWg+oELtAS7EZRRyGYJOPCkUNTfCDBS4vqEIlL+jbOhJmD8hbQM
1Keloo4bP8VljdddEWOhJtg9VfIe/PW+51kq9S0+aQIXhrK9mhu63mRJDBlejxzp
IWwfNO9ZAX8UTxVxkAEu4V1danLBW6RKaAhbSXJMdB5N3b1LqARYrwaubOa2yskQ
g/gJ2YNWMXOlFlDK02bM
=3FFM
-----END PGP SIGNATURE-----

amb-1166294724 at bradfords

Jul 15, 2009, 6:22 PM

Post #15 of 16 (3907 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

Thus said Kyle Wheeler on Tue, 14 Jul 2009 23:05:06 CDT:

> It *is* true that dnscache strips out unnecessary information from DNS
> responses, so its answers are typically smaller and allow you to avoid
> the problem in many cases. Historically, using dnscache has mitigated
> the large-packet issue for most people because of this trimming.

Right, and even qmail.org mentions that it is only a mitigating option
to use dnscache, however, in 10 years of practical use, I don't recall
ever having had an issue with it (I've never used the patch). Are there
any legitimate domains (I would agree with you that this domain probably
doesn't deserve mail) that have problems with qmail+dnscache?

> The 512-byte limit that qmail assumes is a UDP limit, not a DNS limit
> (in fact, the DNS RFC explicitly points out that the TCP length is a
> two-byte field for extra large packets). Since DNS can be transmitted
> over TCP to avoid that packet size limit, large responses are
> perfectly legal (if somewhat absurd and annoying).

Actually, /usr/include/arpa/nameser.h defines the packet size as 512:

/*
* Define constants based on rfc883
*/
#define PACKETSZ 512 /* maximum packet size */

Granted, RFC883 is outdated, but modern *nix do still include this file.
What would be the implications of simply changing the arrays to use a
larger buffer:

#define MYPACKETSZ 65536

static union { HEADER hdr; unsigned char buf[MYPACKETSZ]; } response;

Would this be sufficient?

> Strictly speaking, vanilla qmail's limitation to using only 512 bytes
> worth of DNS is a *bug*. It's a bug that is typically only triggered
> when someone does something really stupid with their DNS setup, but it
> is a bug. Large DNS responses are legal, no matter how goofy they are.

Yet, presumably, if arpa/nameser.h were for some reason updated with a
new PACKETSZ definition, would it still be a problem? I imagine that
qmail is not the only program that depends on PACKETSZ so this could
have far reaching effects...

As a test, I tried to send a few emails to that domain, and they didn't
result in CNAME lookup failures (temp_dnscanon()). They did, however,
result in host not found errors (temp_dns()).

Andy
--
[-----------[system uptime]--------------------------------------------]
7:22pm up 19 min, 1 user, load average: 1.03, 1.08, 0.83

kyle-qmail at memoryhole

Jul 16, 2009, 7:49 AM

Post #16 of 16 (3903 views)
Permalink

Re: Oversize DNS patch - obsolete? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wednesday, July 15 at 07:22 PM, quoth Andy Bradford:
> Right, and even qmail.org mentions that it is only a mitigating
> option to use dnscache, however, in 10 years of practical use, I
> don't recall ever having had an issue with it (I've never used the
> patch). Are there any legitimate domains (I would agree with you
> that this domain probably doesn't deserve mail) that have problems
> with qmail+dnscache?

I'm not aware of any *currently*, but that doesn't mean that they
don't exist.

>> The 512-byte limit that qmail assumes is a UDP limit, not a DNS
>> limit (in fact, the DNS RFC explicitly points out that the TCP
>> length is a two-byte field for extra large packets). Since DNS can
>> be transmitted over TCP to avoid that packet size limit, large
>> responses are perfectly legal (if somewhat absurd and annoying).
>
> Actually, /usr/include/arpa/nameser.h defines the packet size as 512:
>
> /*
> * Define constants based on rfc883
> */
> #define PACKETSZ 512 /* maximum packet size */

I recognize that, but nameser.h is being misinterpreted. I can read
the RFC, and RFC 883 *does* indicate that packets can be bigger. The
number 512 shows up in only a few places in the RFC. Page 11 ("Query
and response transport") is talking about DNS "datagram service",
which is by definition a connectionless communication protocol (in
other words, UDP). There it says:

Hence datagram messages are limited to 512 octets.

But nowhere does it say that "virtual circuit" (i.e. a TCP connection)
communication has such a limit.

And when you think about it, what is the point of the TC bit
(TrunCation, page 26) if not to indicate that sometimes DNS responses
need to be larger than 512 bytes?

> Granted, RFC883 is outdated, but modern *nix do still include this file.

RFC 883 may be outdated, but it's still CORRECT. PACKETSZ only applies
when you are considering *packets*, which the client almost never
should. PACKETSZ does not apply to general DNS responses.

> What would be the implications of simply changing the arrays to use a
> larger buffer:
>
> #define MYPACKETSZ 65536
>
> static union { HEADER hdr; unsigned char buf[MYPACKETSZ]; } response;
>
> Would this be sufficient?

In qmail's dns.c? Yes, that'd be sufficient. But it would also be
wasteful. MOST of the time you don't need that much buffer space for
DNS operations. That's why the much-discussed patch resizes that
buffer as necessary.

> Yet, presumably, if arpa/nameser.h were for some reason updated with
> a new PACKETSZ definition, would it still be a problem? I imagine
> that qmail is not the only program that depends on PACKETSZ so this
> could have far reaching effects...

The problem is not that PACKETSZ is the wrong size, but more
accurately that PACKETSZ is being misused. Qmail (and maybe even most
programs that use PACKETSZ) is assuming that PACKETSZ has some sort of
impact on the output of the res_query function. In other words,
they're assuming that all DNS responses fit into a single (UDP)
packet. That's an invalid assumption. PACKETSZ is still the correct
size of a single (datagram) packet, which is all it ever claimed to
be. The problem is the assumption that DNS responses are never any
bigger than a single packet. (I know I'm repeating myself there, but I
haven't had my coffee yet this morning.)

~Kyle
- --
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
-- Brian Kernighan
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKXz3oAAoJECuveozR/AWeHsQQAKXv4ogKkWvi63Hcdysb0YuK
Gyfhrwea7djX3AcTBfE/3BTBp0HZ0PE+7aoeJXjvR0lEMKj+GRupbHGX31e7woD5
PDXronCLtgjrkIi0/WgI9AYEIhqkMkeycSRuqIayLbQhw0ShHI19X/Uu+31Y3+lL
UNeUG2tDiECzp4VGsH7QGnIz64g0AGoe5HzmXPU+WAQ44Or/HzZ8XiS3HAhIlzha
E+KO8WPmOybBojQlu0YCqomtEwhj060HPIXU27e9iNG0sLicYddniQfNSWSxZpef
QmAewrzwYYSlWc3XiJ0zHix9BB2nQeojKGLk3fI2bsR1jdLp/0qcaeM9Og88P2qW
sS4sz84+m5y0jq9LrFEr2YpvzDDmZBoLrCLizKW0Rw5A/4X6RZQ+TFsT4PUJXMMG
5jnGcZlKKSBXdca6ucFnEVu9FnIOLOrT3x3iEkZUITJMC7ct3We1t4A2IU8wimrr
Mz02erEjB1g9wc4VGBMqxpjXUlo5CgMxWjPqdZREIZ0xuinAc6RkTXlgA9kn4lDF
6K04j6yx0bjQGAujYSq3QykKO5gOQA5TKTGOoFv+0Jze/ntwfN1NRaY+Hkp+jgQz
eI34d7TPZc5wHca/FWJ+auk0wWRkiqDZ/8qp4EIICnEiqcx1x2vFPrdb4xZxtHSe
7KjV2XhZsNwdLfRwQ9ON
=bj10
-----END PGP SIGNATURE-----

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads