From Fedora Project Wiki
Line 75: Line 75:
  
 
Add a new directive to specify a trusted name server.
 
Add a new directive to specify a trusted name server.
 +
Drawbacks: Old applications that parse this file may choke on the new directive.
  
 
Example:
 
Example:

Revision as of 08:34, 29 July 2014

The standard C library provides a number of functions related to host and service name resolution and DNS information retrieval. The former are mainly intended to support applications when connecting to services while the latter gives them access to additional DNS information.

Name resolution for libraries

Problem statement

Current versions of glibc offer the getaddrinfo() function, res_*() functions and _res.options. The former two are used for host and service name resolution and for DNS record retrieval, respectively. While this works well for applications, libraries may need to tweak the configuration without affecting the application. Basically, the configuration needs to be specific to the caller and the caller needs to be able to provide the configuration when performing host/service name resolution and DNS record retrieval.

Example use case

A cryptographic library may want to configure the resolver so that it only receives records secured by DNSSEC. The same library may also want to perform ordinary name resolution where records not secured by DNSSEC are returned as well. None of the configuration should ever affect the running application, therefore three different configuration contexts are needed.

Possible solution

For each libc library function that uses the shared context, provide a new function that would accept an opaque pointer to a specific context object. We also need to provide a set of functions to create and configure the context object.

Existing solutions

For example, netresolve provides a context object and allows for all sorts of name resolution backends including DNS.

Examples:

Notes

A global context could still be available and the classic getaddrinfo() function could call the new function with the global context.

The application and the libraries can be single-threaded as well as multi-threaded. Any solutions using thread local storage are therefore not generally suitable.

File descriptor based non-blocking API

Problem statement

The libc socket API allows for both blocking and non-blocking usage, thus being useful in all sorts of single threaded and multi-threaded applications and libraries. This doesn't apply to the libc name resolution API which is strictly blocking from top to bottom. Unfortunately this also applies to the nsswitch backend API.

Solutions

Add a new non-blocking API for applications and a new non-blocking API for nsswitch backends.

Open questions

What to do with nsswitch backends that don't support the new API, yet?

Existing solutions

For example, netresolve provides a file descriptor based non-blocking API.

Examples:

Trusted validating name servers

Problem statement

The current glibc implicitly trusts all name servers specified in /etc/resolv.conf and the res_* functions pass the AD flag to calling applications. This tricks applications into believing validation results of random servers recieved through DHCP and other means. If the requested DNS record was for example TLSA, the application (or a security library) is tricked into believing that the key data are secured by DNSSEC and have been properly validated.

Solution 1

Add a new directive to /etc/resolv.conf specifying that the listed nameservers are trusted.

Example:

nameserver 1.2.3.4
nameserver 5.6.7.8
trusted-nameservers

Solution 2

Add a new directive to specify a trusted name server. Drawbacks: Old applications that parse this file may choke on the new directive.

Example:

nameserver 1.2.3.4
nameserver 5.6.7.8
trusted-nameserver 1.2.3.4
trusted-nameserver 5.6.7.8

Secure only mode for name resolution

Problem statement

An application or a security library may want to perform a DNS information query in a secure only mode where only results secured by DNSSEC and validated by a trusted name server are returned.

Use case

A security library requests the TLSA record but only cares about one that is secured by DNSSEC and successfully validated.

Proposed solution

Add a resolver configuration option to only return results secured by DNSSEC.

Resolve a host name to a list of network layer addresses

Problem statement

The getaddrinfo API as implemented in glibc doesn't provide a replacement for gethostbyname, i.e. an API that would return a list of network layer addresses for a host name.

Use cases

  • IP-based access lists
  • Network layer testing tools
  • Any tools working with non-TCP non-UDP protocols
  • Possibly even tools working with TCP and UDP

Input parameters

  • host
  • family (AF_UNSPEC, AF_INET, AF_INET6)

Output parameters

  • List of sockaddr style addresses (zero ports, zero protocols, etc)
  • Canonical name (why?)

Resources