getaddrinfo returns PTR name in ai_canonname when using DNS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eglibc |
Fix Released
|
Medium
|
|||
eglibc (Debian) |
Fix Released
|
Unknown
|
|||
eglibc (Fedora) |
Fix Released
|
Undecided
|
|||
eglibc (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Adam Conrad |
Bug Description
Got pinged about this, not fixed in 12.04 yet. From the Redhat bug:
"We have verified that getaddrinfo() does reverse address calls to DNS when AI_CANONNAME is passed in hints.ai_flags and returns the PTR name of the forward resolved ip address as Canonical name.
The canonical name is arguably not what is returned by the PTR record for various reasons. Aside the fact that PTR record are often not under control of the the same people that control the A name, A names can also be roundrobin names and return multiple addresses. Picking one and returnings its PTR as canonical name seem highly questionable.
A CNAME -> A name resolution is welcome as the A name is arguably the Canonical name of a CNAME. But getaddrinfo shouldn't do PTR requests to the DNS.
We found this when testing ssh+GSSAPI auth on laptops that can properly set the A record for their name usin dynamic DNS updates but cannot change the PTR record of whatever network they are currently travelling in.
This breaks kerberos which needs the canonical (A record) name to construct the principal name used to request a ticket when rdns = false is set in krb5.conf and GSSAPITrustDNS is set to no in ssh (the default)."
Changed in eglibc (Ubuntu): | |
importance: | Undecided → High |
Changed in eglibc (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in eglibc (Debian): | |
status: | Unknown → New |
Changed in eglibc: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in eglibc: | |
status: | Confirmed → Fix Released |
Changed in eglibc (Debian): | |
status: | New → Fix Released |
Changed in eglibc (Ubuntu): | |
status: | Incomplete → Fix Released |
Changed in eglibc (Ubuntu Precise): | |
status: | Incomplete → In Progress |
assignee: | nobody → Adam Conrad (adconrad) |
Changed in eglibc (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Fix Released |
We have verified that getaddrinfo() does reverse address calls to DNS when AI_CANONNAME is passed in hints.ai_flags and returns the PTR name of the forward resolved ip address as Canonical name.
The canonical name is arguably not what is returned by the PTR record for various reasons. Aside the fact that PTR record are often not under control of the the same people that control the A name, A names can also be roundrobin names and return multiple addresses. Picking one and returnings its PTR as canonical name seem highly questionable.
A CNAME -> A name resolution is welcome as the A name is arguably the Canonical name of a CNAME. But getaddrinfo shouldn't do PTR requests to the DNS.
We found this when testing ssh+GSSAPI auth on laptops that can properly set the A record for their name usin dynamic DNS updates but cannot change the PTR record of whatever network they are currently travelling in.
This breaks kerberos which needs the canonical (A record) name to construct the principal name used to request a ticket when rdns = false is set in krb5.conf and GSSAPITrustDNS is set to no in ssh (the default).