localhost is either 127.0.0.1 or ::1, nothing else.

RFC 6761, 6.3 Domain Name Reservation Considerations for "localhost.":
3. Name resolution APIs and libraries SHOULD recognize localhost

localhost is either 127.0.0.1 or ::1, nothing else.

RFC 6761, 6.3 Domain Name Reservation Considerations for "localhost.":
3. Name resolution APIs and libraries SHOULD recognize localhost
names as special and SHOULD always return the IP loopback address
for address queries and negative responses for all other query
types. Name resolution APIs SHOULD NOT send queries for
localhost names to their configured caching DNS server(s).

This makes sure that the getaddrinfo(3) and gethostbyname(3) family of
functions always return the loopback address and do not send queries
to name servers. This includes "localhost", "localhost." and
everything under ".localhost" and ".localhost.".

For example, a host underneath the .com.ar zone will per default have
a search list of "com.ar.". resolv.conf(5) has a default of "lookup
bind file". Both combined will result in lookups for "localhost" to
not return 127.0.0.1 because localhost.com.ar is registered in DNS.

It has been known for decades that this is a problem, especially for
localhost.

Problem recently spotted by gonzalo@ and debugged by sthen@

Testing sthen, gonzalo
Input & OK phessler, eric, millert
OK sthen, kn, deraadt

show more ...

Restrict what getaddrinfo(3) is willing to try to resolve.

Programs assume that a successful call to getaddrinfo(3) validates the
input as "safe", but that's not true. Characters like '$', '`', '\n'

Restrict what getaddrinfo(3) is willing to try to resolve.

Programs assume that a successful call to getaddrinfo(3) validates the
input as "safe", but that's not true. Characters like '$', '`', '\n'
or '*' can traverse the DNS without problems, but have special
meaning, for example a shell.

There is a function res_hnok() already in libc, but it validates if a
string is a host name, which is too strict in practice. For example
foo-.example.com is not a valid host name, but is used on the
Internet.

Posix has this to say:
"The getaddrinfo() function shall translate the name of a service
location (for example, a host name)"

It hints that the input should be a host name, but it does not
restrict it to it.

This introduces a function hnok_lenient() which restricts the input to
getaddrinfo(3) to the set [A-z0-9-_.]. Additionally two consecutive
dots ('.') are not allowed nor can the string start with - or '.'.

glibc introduced a similar restriction years ago, so this should not
cause problems.

It has been known in the DNS community for years, probably decades
that getaddrinfo(3) is too lenient what it accepts, but it has always
been kicked down the road as "not a DNS problem". Unfortunately this
information never made it out of the DNS community and no coordinated
effort happened to have this addressed in operating systems.

David Leadbeater recently demonstrated how ssh(1) and ftp(1) are too
trusting with what getaddrinfo(3) accepts. Both have been fixed
independently of this.

Input deraadt, eric
OK millert, deraadt

show more ...

To allow us to get rid of /etc/networks, make getnetby*(3)
wrappers around gethostby*_async(3). If you had anything of
importance in /etc/networks, specify it in /etc/hosts instead.
Feedback and OK

To allow us to get rid of /etc/networks, make getnetby*(3)
wrappers around gethostby*_async(3). If you had anything of
importance in /etc/networks, specify it in /etc/hosts instead.
Feedback and OK eric@, OK deraadt@

show more ...

Add support for RES_USE_DNSSEC

RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries. The resolver is then supposed to set the AD bit in the reply
if it managed to validate

Add support for RES_USE_DNSSEC

RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries. The resolver is then supposed to set the AD bit in the reply
if it managed to validate the answer through DNSSEC. Useful when the
application doesn't implement validation internally. This scheme
assumes that the validating resolver is trusted and that the
communication channel between the validating resolver and and the client
is secure.

ok eric@ gilles@

show more ...

Recognize and allow bits AD and CD in DNS replies.

Needed for RES_USE_DNSSEC support.

ok eric@ gilles@

Put a common flags field in the query struct, rather than in some
elements of the union.

This field is for internal asr flags. The flags in "struct rrset" and
"struct ni" are different kinds of fla

Put a common flags field in the query struct, rather than in some
elements of the union.

This field is for internal asr flags. The flags in "struct rrset" and
"struct ni" are different kinds of flags.

ok eric@

show more ...

Put a common subq pointer in the query struct, rather than one in each
element of the union.

ok gilles@ millert@ krw@

Add EDNS0 support.

EDNS allows for various DNS extensions, among which UDP DNS packets size
bigger than 512 bytes. The default is still to not advertize anything.

ok eric@

use common errnos instead of random strings as error indicators in
pack/unpack contexts.

ok krw@ deraadt@

Remove prototype for static function _asr_resolver. Eliminates gcc
whining about undefined static in all the .c files that include
asr_private.h. _asr_resolver() is defined and used in asr.c only.

o

Remove prototype for static function _asr_resolver. Eliminates gcc
whining about undefined static in all the .c files that include
asr_private.h. _asr_resolver() is defined and used in asr.c only.

ok kettenis@

show more ...

Declare all _asr_* debug functions as hidden.

Reported by & similar diff by guenther@ some time ago, ok eric@

Remove support for HOSTALIASES from the resolver. This "open and parse
any file indicated by an environment variable" feature inside the
resolver is incompatible with what pledge "dns" is trying to

Remove support for HOSTALIASES from the resolver. This "open and parse
any file indicated by an environment variable" feature inside the
resolver is incompatible with what pledge "dns" is trying to be. It is
a misguided "feature" added way back in history which almost noone uses,
but everyone has to assume the risk from.
ok eric florian kettenis

show more ...

Remove support for "lookup yp" in /etc/resolv.conf. This historical
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns acces

Remove support for "lookup yp" in /etc/resolv.conf. This historical
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns access is
enough for everyone, sorry if you were using that old SunOS 4.x style
mechanism, but it is now gone.
ok semarie millert florian

show more ...

We are always using _PATH_RESCONF, so no need to remember the path on
the resolver.

ok millert@ deraadt@

getaddrinfo_async() shouldn't unconditionally intialize the resolver
via _asr_use_resolver(). If the hint specifies for AI_NUMERICHOST,
create a transient lookup context which won't try to open /etc

getaddrinfo_async() shouldn't unconditionally intialize the resolver
via _asr_use_resolver(). If the hint specifies for AI_NUMERICHOST,
create a transient lookup context which won't try to open /etc/reslov.conf
ok eric guenther

show more ...

Initially eric developers asr as a side-load style library for async DNS.
When it was integrated as the main resolver, a bunch of strange initialization
code remained. Start whittling away at this,

Initially eric developers asr as a side-load style library for async DNS.
When it was integrated as the main resolver, a bunch of strange initialization
code remained. Start whittling away at this, piece by piece, to make it
more clear.
ok eric

show more ...

missing asr* -> _asr* symbol rename for building with debug code

ok jca@

Hide all unnecessary asr / resolver related API with _ prefixes.
direction & ok guenther

Rename print_sockaddr() to avoid symbol visibility problems

print_sockaddr is internal to asr, and conflicts with ports/net/samba4.

ok eric@

make sure to check for resolv.conf update the first time the resolver
is used after pid has changed.

ok deraadt@

fix a possible off-by-one when reading /etc/hosts if it doesn't end
with a newline.

ok jca@

simply use _PATH_HOSTS where appropriate

Limit AI_ADDRCONFIG effects to DNS queries.

This is what RFC 2553 initially described, sadly RFC 3493 stopped
limiting scope to DNS. This can result in nonsensical failures with
loopback addresses,

Limit AI_ADDRCONFIG effects to DNS queries.

This is what RFC 2553 initially described, sadly RFC 3493 stopped
limiting scope to DNS. This can result in nonsensical failures with
loopback addresses, link-local addresses, raw addresses and /etc/hosts
entries.

with and ok eric@ sperreault@

show more ...

Don't default enable the debug functionality with its unprotected getenv().

ok eric@ sthen@ deraadt@

Cleanup and simplify the API to be exposed. Use better names for
structures, functions and defines.

discussed with and ok deraadt@ guenther@