starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 11:15:54 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #1985] Malformed label: -- when parsing resolv.conf #839

New issue
Closed
opened 2026-03-16 00:30:44 +03:00 by kerem · 9 comments
kerem commented 2026-03-16 00:30:44 +03:00
Owner
Copy link

Originally created by @Jake-Shadle on GitHub (Jul 6, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1985

Describe the bug
My local /etc/resolv.conf triggers this error, due to the presence of the line search -- lan.

To Reproduce
Attemp to parse this file:

nameserver 127.0.0.53
options edns0 trust-ad
search -- lan

Expected behavior
I would expect this file to be parsed, if it is actually valid, which I'm assuming it is since my system works, but I honestly have no clue if trust-dns or systemd is in the wrong here since my efforts to figure out what the valid form(s) of the search entry in the resolv.conf is/are was met with defeat.

After playing around with my /etc/systemd/resolved.conf I'm becoming more convinced that this is a systemd bug, as doing any changes to the Domains= field (which controls the search field in resolv.conf) will always result in -- being appended or prepended to whatever entries I make.

System:

  • OS: linux
  • Architecture: x86_64
  • Version: 6.3.8-200.fc38.x86_64
  • rustc version: 1.70.0

Version:
Crate: proto
Version: 0.22.0

Additional context
I didn't configure this myself and since I've never had this issue in the past, I'm assuming a recent system update added/changed the search -- lan entry in the resolv.conf, so I'm assuming other people will start hitting this issue if this is a general update to Fedora 38/systemd-resolv, but that's just a guess.

That being said, I'm not certain this is a bug in trust-dns, but more likely systemd, but figured I would open this issue just in case that is not the case, or at least have a record of this issue if others hit it, as I was unable to find much info elsewhere about this.

Originally created by @Jake-Shadle on GitHub (Jul 6, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1985 **Describe the bug** My local `/etc/resolv.conf` triggers [this error](https://github.com/bluejekyll/trust-dns/blob/c4e92cf837b2cd5bd5c3567bc405d01cf6eb1f03/crates/proto/src/rr/domain/label.rs#L96), due to the presence of the line `search -- lan`. **To Reproduce** Attemp to parse this file: ```txt nameserver 127.0.0.53 options edns0 trust-ad search -- lan ``` **Expected behavior** I would expect this file to be parsed, _if_ it is actually valid, which I'm _assuming_ it is since my system works, but I honestly have no clue if trust-dns or systemd is in the wrong here since my efforts to figure out what the valid form(s) of the search entry in the resolv.conf is/are was met with defeat. After playing around with my `/etc/systemd/resolved.conf` I'm becoming more convinced that this is a systemd bug, as doing any changes to the `Domains=` field (which controls the search field in resolv.conf) will always result in `--` being appended or prepended to whatever entries I make. **System:** - OS: linux - Architecture: x86_64 - Version: 6.3.8-200.fc38.x86_64 - rustc version: 1.70.0 **Version:** Crate: proto Version: 0.22.0 **Additional context** I didn't configure this myself and since I've never had this issue in the past, I'm assuming a recent system update added/changed the `search -- lan` entry in the resolv.conf, so I'm assuming other people will start hitting this issue if this is a general update to Fedora 38/systemd-resolv, but that's just a guess. That being said, I'm not certain this is a bug in trust-dns, but more likely systemd, but figured I would open this issue just in case that is not the case, or at least have a record of this issue if others hit it, as I was unable to find much info elsewhere about this.
kerem closed this issue 2026-03-16 00:30:49 +03:00
kerem commented 2026-03-16 00:30:55 +03:00
Author
Owner
Copy link

@Jake-Shadle commented on GitHub (Jul 6, 2023):

Oh and as a workaround, one can just edit /etc/resolv.conf to remove the -- from the search field, just be aware that those changes will be overwritten if you re/start the systemd-resolved service or reboot.

<!-- gh-comment-id:1623289223 --> @Jake-Shadle commented on GitHub (Jul 6, 2023): Oh and as a workaround, one can just edit `/etc/resolv.conf` to remove the `--` from the search field, just be aware that those changes will be overwritten if you re/start the `systemd-resolved` service or reboot.
kerem commented 2026-03-16 00:31:00 +03:00
Author
Owner
Copy link

@Jake-Shadle commented on GitHub (Jul 6, 2023):

Took a look at my laptop running PopOS instead of Fedora, but still using systemd, and sure enough the resolv.conf just has search lan with no --.

<!-- gh-comment-id:1623330339 --> @Jake-Shadle commented on GitHub (Jul 6, 2023): Took a look at my laptop running PopOS instead of Fedora, but still using systemd, and sure enough the resolv.conf just has `search lan` with no `--`.
kerem commented 2026-03-16 00:31:05 +03:00
Author
Owner
Copy link

@CodeDead commented on GitHub (Jul 23, 2023):

Still, the double dashes are valid config options for /etc/resolv.conf . This bug also impacts the MongoDB Rust driver on Linux.

<!-- gh-comment-id:1646719878 --> @CodeDead commented on GitHub (Jul 23, 2023): Still, the double dashes are valid config options for /etc/resolv.conf . This bug also impacts the MongoDB Rust driver on Linux.
kerem commented 2026-03-16 00:31:10 +03:00
Author
Owner
Copy link

@Jake-Shadle commented on GitHub (Jul 23, 2023):

Do you have a reference for it in a spec? I tried and failed to find what - - even means.

<!-- gh-comment-id:1646799864 --> @Jake-Shadle commented on GitHub (Jul 23, 2023): Do you have a reference for it in a spec? I tried and failed to find what - - even means.
kerem commented 2026-03-16 00:31:15 +03:00
Author
Owner
Copy link

@CodeDead commented on GitHub (Jul 23, 2023):

https://man.archlinux.org/man/resolv.conf.5#search

On Sun, 23 Jul 2023, 12:07 Jake Shadle, @.***> wrote:

Do you have a reference for it in a spec? I tried and failed to find what

    • even means.


Reply to this email directly, view it on GitHub
https://github.com/bluejekyll/trust-dns/issues/1985#issuecomment-1646799864,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AD4J3UW6YBUNPJBSP2JRUBDXRTZWLANCNFSM6AAAAAA2AEI7DQ
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1646808325 --> @CodeDead commented on GitHub (Jul 23, 2023): https://man.archlinux.org/man/resolv.conf.5#search On Sun, 23 Jul 2023, 12:07 Jake Shadle, ***@***.***> wrote: > Do you have a reference for it in a spec? I tried and failed to find what > - - even means. > > — > Reply to this email directly, view it on GitHub > <https://github.com/bluejekyll/trust-dns/issues/1985#issuecomment-1646799864>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AD4J3UW6YBUNPJBSP2JRUBDXRTZWLANCNFSM6AAAAAA2AEI7DQ> > . > You are receiving this because you commented.Message ID: > ***@***.***> >
kerem commented 2026-03-16 00:31:20 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Jul 24, 2023):

I have no idea what would mean in this context?

I think one option would be for us to change the resolve.conf parsing to be lossy and ignore illegal input? My guess is this is some awkward default based on other configurations in the system, like no hostname?

<!-- gh-comment-id:1648166525 --> @bluejekyll commented on GitHub (Jul 24, 2023): I have no idea what `—` would mean in this context? I think one option would be for us to change the resolve.conf parsing to be lossy and ignore illegal input? My guess is this is some awkward default based on other configurations in the system, like no hostname?
kerem commented 2026-03-16 00:31:25 +03:00
Author
Owner
Copy link

@CodeDead commented on GitHub (Jul 24, 2023):

I have no idea what would mean in this context?

I think one option would be for us to change the resolve.conf parsing to be lossy and ignore illegal input? My guess is this is some awkward default based on other configurations in the system, like no hostname?

It would mean nothing. This is because of faulty hostnames for example or faulty network managers adding things that make no sense. If only double dashes are present, double dashes in the search can be ignored.

<!-- gh-comment-id:1648219440 --> @CodeDead commented on GitHub (Jul 24, 2023): > I have no idea what `—` would mean in this context? > > I think one option would be for us to change the resolve.conf parsing to be lossy and ignore illegal input? My guess is this is some awkward default based on other configurations in the system, like no hostname? It would mean nothing. This is because of faulty hostnames for example or faulty network managers adding things that make no sense. If only double dashes are present, double dashes in the search can be ignored.
kerem commented 2026-03-16 00:31:30 +03:00
Author
Owner
Copy link

@djc commented on GitHub (Jul 24, 2023):

@CodeDead how do you conclude that from those docs? I didn't see anything relevant in that man page?

Maybe we should look at the code (presumably in libc implementations) that parses resolv.conf?

<!-- gh-comment-id:1648221936 --> @djc commented on GitHub (Jul 24, 2023): @CodeDead how do you conclude that from those docs? I didn't see anything relevant in that man page? Maybe we should look at the code (presumably in libc implementations) that parses `resolv.conf`?
kerem commented 2026-03-16 00:31:35 +03:00
Author
Owner
Copy link

@CodeDead commented on GitHub (Jul 24, 2023):

@CodeDead how do you conclude that from those docs? I didn't see anything relevant in that man page?

Maybe we should look at the code (presumably in libc implementations) that parses resolv.conf?

Because -- is not a valid search domain and meaningless. Most likely added due to a network manager since most distro's use a network manager to manage /etc/resolv.conf (in my case the latest version of systemd-resolved)

If I, for example do a dig +search google the dig command will fail too with the error message:

dig: '--' is not a legal IDNA2008 name (string start/ends with forbidden hyphen), use +noidnin

You could either panic and fail, which is now the case for both dig and trust-dns repo or ignore the search domain because it is invalid. Whether this is a systemd bug is hard to tell, because it might be intended behavior to ignore double dashes when using systemd because systems with systemd running still work when search is set to the double dashes. It is still valid to place double dashes in the search field because there are no standards or restrictions listed in the manual that prevent you from doing that but it will not form a valid domain according to the domain standards. The question is how to handle that; to fail or to ignore the dashes.

Journaling systemd-resolved (with google dns) and no domain name set in the system will give me something like this:

journalctl -u systemd-resolved -f

Jul 24 18:44:38 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4
Jul 24 18:44:39 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844
Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client reset search domain list.
Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set default route setting: no
Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client reset DNS server list.
Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set search domain list to: --
Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set default route setting: yes
Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844
Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4
Jul 24 18:46:48 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844

Which stems from a 'faulty' connection profile. The best (read: fastest) way to solve this problem for systemd, is to re-create the connection profile (delete the connection profile and create a new one) in systemd devices if the double dashes are present (probably stemming from faulty router / DHCP setup) in the hopes that the search field will then be retrieved and set correctly.

Whether or not to fail for invalid domains is another matter (because most of systemd will absolutely work and just ignore the problem) whereas some tools (like dig) will panic.

Ignoring the double dashes might be the way to go for systemd because it is not a valid domain and perhaps trust-dns should ignore invalid search domains too, but that is a decision to make and take for the maintainers. Either way, search -- is an invalid search domain but still, nothing prevents you from adding invalid search domains in resolv.conf or the actual router.

<!-- gh-comment-id:1648240979 --> @CodeDead commented on GitHub (Jul 24, 2023): > @CodeDead how do you conclude that from those docs? I didn't see anything relevant in that man page? > > Maybe we should look at the code (presumably in libc implementations) that parses `resolv.conf`? Because `--` is not a valid search domain and meaningless. Most likely added due to a network manager since most distro's use a network manager to manage `/etc/resolv.conf` (in my case the latest version of systemd-resolved) If I, for example do a `dig +search google` the dig command will fail too with the error message: ``` dig: '--' is not a legal IDNA2008 name (string start/ends with forbidden hyphen), use +noidnin ``` You could either panic and fail, which is now the case for both dig and trust-dns repo or ignore the search domain because it is invalid. Whether this is a systemd bug is hard to tell, because it might be intended behavior to ignore double dashes when using systemd because systems with systemd running still work when search is set to the double dashes. It is still valid to place double dashes in the search field because there are no standards or restrictions listed in the manual that prevent you from doing that but it will not form a valid domain according to the domain standards. The question is how to handle that; to fail or to ignore the dashes. Journaling systemd-resolved (with google dns) and no domain name set in the system will give me something like this: ``` journalctl -u systemd-resolved -f Jul 24 18:44:38 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4 Jul 24 18:44:39 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844 Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client reset search domain list. Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set default route setting: no Jul 24 18:46:46 deadlinepc systemd-resolved[1120]: enp6s0: Bus client reset DNS server list. Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set search domain list to: -- Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set default route setting: yes Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844 Jul 24 18:46:47 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4 Jul 24 18:46:48 deadlinepc systemd-resolved[1120]: enp6s0: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844 ``` Which stems from a 'faulty' connection profile. The best (read: fastest) way to solve this problem for systemd, is to re-create the connection profile (delete the connection profile and create a new one) in systemd devices if the double dashes are present (probably stemming from faulty router / DHCP setup) in the hopes that the search field will then be retrieved and set correctly. Whether or not to fail for invalid domains is another matter (because most of systemd will absolutely work and just ignore the problem) whereas some tools (like `dig`) will panic. Ignoring the double dashes might be the way to go for systemd because it is not a valid domain and perhaps trust-dns should ignore invalid search domains too, but that is a decision to make and take for the maintainers. Either way, `search --` is an invalid search domain but still, nothing prevents you from adding invalid search domains in resolv.conf or the actual router.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/0.26
david/conformance-dnssec-negative-tests
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#839
No description provided.