A remote code execution vulnerability in glibc

Sysctl changes kernel behaviour, not userland/library behaviour. This bug is in glibc, not the kernel. Besides, even v4-only servers/applications might want to look up an AAAA record. It's just another record in the DNS, like A, MX, TXT etc.

sysctls configure kernel behaviour, do they not? I'm pretty happy that various clients of the kernel don't overload them with their own interpretations of what they should mean.

If glibc should interpret that sysctl and disable its resolver's lookup of AAAA records, then why shouldn't Java also use it to set the default value of the java.net.preferIPv4Stack system property, and so on... I think that way, madness lies!

I am doing countless IPv6 queries per day - from machines that have no IPv6 addresses and not even Internet access.

DNS is just a database. And I certainly would not want to miss records from it, just because of my network configuration. (Arguably one could use a separate resolver from the system resolver for such purposes, but that would be a fundamental change and break countless pieces of software)

>Well... why the hell not? If you specifically disable IPv6, why are AAAA entries looked up or attempted to be parsed, ever?

Because you used AF_UNSPEC, which specifically asks it do do that:
>The value AF_UNSPEC indicates that getaddrinfo() should return socket addresses for any address family (either IPv4 or IPv6, for example) that can be used with node and service

There are plenty of times that you might want to do these lookups even though you don't currently have IPv6 connectivity yourself.

Arguably there are a lot of places that perhaps shouldn't actually be unconditionally using AF_UNSPEC at all, but there doesn't appear to be an AF_DOTHERIGHTTHING and it's awkward to bake in a check for IPv6 connectivity into your app so as to use AF_INET or AF_INET6 as appropriate (plus that seems like a layering violation to me), so it's hard to blame application developers.

In other words, the bug is in the API.

I think the general idea was that if you make enough AAAA queries, people would fix more quickly broken DNS infrastructure which did not cope well with AAAA queries or responses. I'm not sure if that's still a reasonable approach today. The dual-lookup acceleration in glibc has also caused a lot of pain by itself, even before today's update.

There is also a distinct lack of kernel APIs to determine whether the system supports IPv6 or not. In fact, for a certain class of systems, it is cheaper to avoid making the determination until you have received AAAA records from the DNS, and skip it altogether if you do not receive such records.

AAAA responses resulting from lookups from an IPV4 client should generally be passed back to the client by the DNS resolver, unless the latter knows that the particular client needs to go through some kind of gateway to access an IPV6 only server. In that situation the client can be passed an A record for the IPV4/IPV6 gateway which can proxy the (presumably HTTP) request. If it's a HTTPS request, then unless the gateway can sign a certificate for the website with a key the client trusts, the response will be indistinguishable from a MITM attack.