Bug 12684 - Multi-request DNS lookups do not properly fall back to secondary nameserver
Summary: Multi-request DNS lookups do not properly fall back to secondary nameserver
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.13
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
Depends on:
Reported: 2011-04-19 15:28 UTC by Petr Baudis
Modified: 2014-06-27 13:35 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security-

proposed patch (318 bytes, patch)
2011-04-19 15:28 UTC, Petr Baudis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Baudis 2011-04-19 15:28:27 UTC
Created attachment 5678 [details]
proposed patch

The resolver does not properly handle a case where AF_UNSPEC query is started, two requests are therefore dispatched, and something like NOTIMP or SERVFAIL is returned to one of them (e.g. AF_INET6). In this case, the second nameserver in queue is not queried even though it should be. It is caused by an omission of resplen = 0 in the appropriate branch of send_dg() - therefore, when checking whether next nameserver should be queried, it is assumed that a proper reply was received from the first one.
Comment 1 Ulrich Drepper 2011-05-31 02:52:25 UTC
I agree, something is wrong.  But it's a bad idea to try the next server in case of NOTIMP replies etc for just one of the requests.  Imagine all the servers return these errors.  In this case it is better to live with the one successful answer.  I added an appropriate patch.
Comment 2 Andreas Schwab 2011-06-03 10:57:49 UTC
$ nss/getent ahosts example.com
;; res_setoptions(" debug
", "conf")..
;;      debug
dots=1, statp->ndots=1, trailing_dot=0, name=example.com
;; res_nquerydomain(example.com, <Nil>, 1, 62321)
;; res_query(example.com, 1, 62321)
;; res_nmkquery(QUERY, example.com, IN, A)
;; res_nmkquery(QUERY, example.com, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24983
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;      example.com, type = A, class = IN
;; Querying server (# 1) address =
res_send: send: Connection refused
;; got answer:
;; ns_initparse: Message too long
;; ns_initparse: Message too long
Segmentation fault
Comment 3 Ulrich Drepper 2011-06-16 02:45:38 UTC
Don't reopen bugs for reasons like this.  The problem was caused by the patch but has nothing to do with the original problem.  This is very much misleading.  I've added a patch to fix two typos which caused crashes.
Comment 4 Jackie Rosen 2014-02-16 18:23:32 UTC Comment hidden (spam)
Comment 5 Florian Weimer 2014-06-27 13:35:00 UTC
I believe the crash mentioned in comment #2 was also filed as bug 13013.