CC @mdempsky

Although this is late in cycle, this is a small, focused change that we intend to backport regardless, which makes sense to accept.

We've discussed a bit and are supportive of merging this before the RC.

I agree that compliant DNS servers shouldn't have any issues with the use of EDNS. But the rationale for this CL is to accommodate non-compliant servers that send invalid responses, so it seems like we should also be mindful about non-compliant servers/firewalls that break EDNS.

Will there be more release candidates before Go 1.18? If so, I think including in Go 1.18 seems reasonable.

I'm not sure why this is important to backport though?

Backporting is justified to me by the comments in "Miscellany" in #51127. This tooling is critical for some users, and forcing them to upgrade to (as of yet unreleased 1.18) isn't a great workaround. I assume this impacts the Go command as well.

The go command almost always links to libc, which means using the platform C resolver by default and not the netgo one.

@seankhliao

The go command almost always links to libc, which means using the platform C resolver by default and not the netgo one.

When compiled with libc, the net package decides at runtime whether to use cgo or go resolver

@gopherbot Please open backport issues.

Backport issue(s) opened: #51161 (for 1.16), #51162 (for 1.17).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@ianlancetaylor This will cause new failures because FORMERR/NOTIMPL fallback appears to be missing from the implementation. It may be necessary to implement timeout handling as well (retrying without EDNS0 in case of a timeout).

@ianlancetaylor your CL https://go-review.googlesource.com/c/go/+/385035 landed 10 hours ago to the master branch. Shall we thus close this issue?

@fweimer-rh Do you think that we need to worry about those possibilities in practice? I don't see anything in glibc, although it's true that that case is different because the user must explicitly opt-in to EDNS in the resolv.conf file.

If those are real possibilities then I will revert the CL. It's too late in the release cycle to add that kind of complexity.

Thanks.

@ianlancetaylor I expect some problems. How widespread they are I don't know. I'm not aware of any stub resolver implementations that use EDNS0 by default and without any fallback. Go's implementation might be the first one with wide deployment. This change seems rather risky to me at this point.

An alternative would be to merge #51128 or a variant thereof, which does not advertise EDSN0 support in the request but accepts a larger (safe) buffer size by default.

This is akin to what glibc does, though reading C and executing it are often two different things, it looks to me like glibc may behave better here solely because it allocates a larger buffer, without advertising EDSN0 support.

A common cause of cannot unmarshal DNS... errors were that the users were on a VPN such as AnyConnect, which likely just had a DNS proxy that didn't implement message compression, so compressed upstream sub-512 byte responses would be expanded to >512 byte responses. That was also the case for Consul & Mesos DNS servers.

Allocating a ~1200 byte buffer by default, or perhaps 1024 byte is all that's needed, would mitigate this issue without additional protocol implications. Glibc defaults to 1024 bytes, I think?

https://github.com/bminor/glibc/blob/b92a49359f33a461db080a33940d73f47c756126/resolv/nss_dns/dns-network.c#L128

@AaronFriel The initial buffer sizes vary on the NSS functions used (1024 and 2048, see resolv/nss_dns/dns-hosts.c). There is also the NSS-based ERANGE retry loop, but I'm not sure if this only applies after TCP fallback. (There is dynamic buffer allocation in resolv/res_send.c, but that's only for the second response in a dual/parallel AF_UNSPEC lookup.) However, I wouldn't recommend the glibc implementation as a model for a stub resolver.

Fair, I also wouldn't use glibc as a reference. I'm merely offering a compromise to maximize compatibility with real world DNS resolvers without advertising full EDNS0 support.

After discussion, we currently plan to do this:

• roll back CL 385035
• add a change to accept DNS packets up to 1232 bytes, to help WSL
• backport that DNS packet change to 1.16 and 1.17
• reinstall CL 385035 after the 1.18 release, so that it has some testing for 1.19

Change https://go.dev/cl/386015 mentions this issue: net: increase maximum accepted DNS packet to 1232 bytes

Change https://go.dev/cl/386016 mentions this issue: net: send EDNS(0) packet length in DNS query

Change https://go.dev/cl/386014 mentions this issue: Revert "net: send EDNS(0) packet length in DNS query"

Change https://go.dev/cl/386034 mentions this issue: [release-branch.go1.16] net: increase maximum accepted DNS packet to 1232 bytes

Change https://go.dev/cl/386035 mentions this issue: [release-branch.go1.17] net: increase maximum accepted DNS packet to 1232 bytes

OK, changes made. Moving this issue to 1.19 to use EDNS.

Change https://go.dev/cl/389634 mentions this issue: doc/go1.19: mention use of EDNS(0)

Change https://go.dev/cl/415579 mentions this issue: net: ignore edns0 option in resolv.conf