tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: stack overflow in getaddrinfo(3) with a small-sized stack in pthreads
> Joerg Sonnenberger wrote in
> <YaT9P6a+AlEm3w7h%bec.de@localhost>:
> |On Mon, Nov 29, 2021 at 08:38:35PM +0700, Robert Elz wrote:
> |> DNS queries (via UDP) are limited to max 512, as that is what the
> |> protocol always required, so can be handled by everything (or should be).
That disregards EDNS0, which in the DNS "in general" is pretty
much universally supported these days. After all, it's nearly 20
years since it was standardized IIRC.
> RFC 1035 says
>
> 2.3.4. Size limits
> ...
> UDP messages 512 octets or less
>
> If no EDNS is in use the answer should be pretty small also.
> Also see RFC 2671, but i have forgotten about all that.
I thought I would just interject here on a tangent that our
resolv.conf has the possibility to have 'options edns0', which, BTW,
is required if you really want ssh to trust DNSSEC-signed SSH
fingerprints from the DNS to reduce the "trust-on-first-use" problem
SSH otherwise has. So having a fixed-size buffer of 512 bytes for
"DNS answers" to cover all cases is not going to work.
Oh, yes, our documentation of the "edns0" option says it uses it to
inform the DNS server of the receive buffer size, but the user is by
the looks of it not given any lever to influence that buffer size,
which, if recollection serves, is recommended not to have a size
larger than 1280 or thereabouts to avoid fragmentation.
Regards,
- Håvar
Home |
Main Index |
Thread Index |
Old Index