Re: [PATCH] resolver.3: documents missing options used by _res structure defined in resolv.h and indicates defaults options

["Stéphane Aulery" <saulery-GANU6spQydw@public.gmane.org>]

Hello walter,

Le mardi 10 mars 2015 à 11:46:33, walter harms a écrit :
> 
> Am 09.03.2015 21:44, schrieb Stéphane Aulery:
> > Missing options: RES_INSECURE1, RES_INSECURE2, RES_NOALIASES, USE_INET6,
> > ROTATE, NOCHECKNAME, RES_KEEPTSIG, BLAST, USEBSTRING, NOIP6DOTINT, USE_EDNS0,
> > SNGLKUP, SNGLKUPREOP, RES_USE_DNSSEC, NOTLDQUERY, DEFAULT
> > 
> > Written from the glibc source and resolv.conf.5.
> > 
> > Debian bug #527136 reported by Jakub Wilk <ubanus-iA+eEnwkJgzk1uMJSBkQmQ@public.gmane.org>
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527136
> > Signed-off-by: Stéphane Aulery <saulery-GANU6spQydw@public.gmane.org>
> > ---
> >  man3/resolver.3 | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
> >  1 file changed, 91 insertions(+), 8 deletions(-)
> > 
> > diff --git a/man3/resolver.3 b/man3/resolver.3
> > index 19c4192..06704b1 100644
> > --- a/man3/resolver.3
> > +++ b/man3/resolver.3
> > @@ -197,19 +197,20 @@ which is not the default.
> >  Accept authoritative answers only.
> >  .BR res_send ()
> >  continues until
> > -it finds an authoritative answer or returns an error.  [Not currently
> > -implemented].
> > +it finds an authoritative answer or returns an error.
> > +[Not currently implemented].
> >  .TP
> >  .B RES_USEVC
> >  Use TCP connections for queries rather than UDP datagrams.
> >  .TP
> >  .B RES_PRIMARY
> >  Query primary domain name server only.
> > +[Not currently implemented].
> 
> pitpicking:
>  the phrase is normally "not yet implemented"

That's not me. We can change it ?

> perhaps you can add as comment what version you have tested to
> give pple a hint where to look.

I have not tested. It is written in code:

https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/res_debug.c;hb=44a6213c8eebf3f69712a5fba9a33bbb90a79023#l565

For that matter to seek versions, why not just give the version of this
that is implemented. This will be information that does not expires.

> >  .TP
> >  .B RES_IGNTC
> >  Ignore truncation errors.
> > -Don't retry with TCP.  [Not currently
> > -implemented].
> > +Don't retry with TCP.
> > +[Not currently implemented].
> >  .TP
> >  .B RES_RECURSE
> >  Set the recursion desired bit in queries.
> > @@ -238,10 +239,92 @@ domain and in parent domains.
> >  This option is used by
> >  .BR gethostbyname (3).
> >  [Enabled by default].
> > -.PP
> > -This list is not complete.
> > -You can find some other flags described in
> > -.BR resolv.conf (5).
> > +.TP
> > +.B RES_INSECURE1
> > +Accept a response from a wrong server and show it on standard output
> > +(for debug purpose only).
> 
> is there a debug mode switch or is this a compiletime option ?
> this could be of interest for admins that do not want this.
> 
> just my 2 cents,
>  wh

That's options are always available. The message display is subjected to the
simultaneous use of RES_DEBUG option. However, the commentary and option name
imply that it is to test security flaws, but at your own risk:

    /*
    * response from wrong server? ignore it.
    * XXX - potential security hazard could
    * be detected here.
    */

I realize that my description may not be entirely fair. It could be :

    Accept a response from a wrong server. Potential security hazard
    could be detected here, but you need to compile glibc with debugging
    enabled and use RES_DEBUG option.

Regards,

-- 
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html