DHCP Option 15 search domain includes null byte (\0), not truncated by Talos

[FlxPeters]

Bug Report

Description

When Talos receives a DNS search domain via DHCP (from a Windows Server domain controller), the value includes a trailing null byte (\0).

Talos does not truncate the null byte — instead it stores the raw value. While this may be technically valid DHCP behavior, it causes downstream issues. For example, KubeVirt refuses to start VMs if the search domain contains the null byte.

Null Byte Behavior on Windows DHCP

Windows DHCP servers (including Domain Controllers) commonly encode string options (e.g., Option 12 Host Name and Option 15 Domain Name) as null-terminated ASCII strings.

This means the domain name is followed by a 0x00 byte.

Most DHCP clients treat the 0x00 as a string terminator and do not persist it in configuration files or resolver settings.

Talos currently does not trim this 0x00, and instead stores it literally as part of the search domain.

So while the Windows DHCP server behavior is valid, the client (Talos) should be defensive and strip the null terminator for compatibility.

Additional description: https://www.reddit.com/r/sysadmin/comments/t4yppf/windows_dhcp_server_appends_00_space_to_option_15/

Logs

$ talosctl get resolvers

NODE          NAMESPACE   TYPE             ID          VERSION   RESOLVERS                         SEARCH DOMAINS
10.4.244.33   network     ResolverStatus   resolvers   3         ["10.100.91.30","10.1.186.101"]   ["host.example.org\u0000"]

Output of nmap:

sudo nmap --script broadcast-dhcp-discover
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-12 16:52 CEST
Pre-scan script results:
| broadcast-dhcp-discover: 
|   Response 1 of 1: 
|     IP Offered: 10.1.18.175
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Renewal Time Value: 0s
|     Rebinding Time Value: 0s
|     IP Address Lease Time: 1s
|     Server Identifier: 10.1.187.5
|     Router: 10.1.18.1
|     Domain Name Server: 10.1.186.100, 10.1.186.101, 10.1.186.195, 10.1.187.159
|     Domain Name: host.example.org\x00
|     NTP Servers: 10.248.18.34, 10.248.18.42, 10.248.18.50
|     NetBIOS Name Server: 10.1.186.100
|     Class Identifier: PXEClient\x00
|_    Vendor Specific Information: 10.10.82.6
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 2.39 seconds

Environment

• Talos version: 1.10.0
• Platform: Bare Metal

[FlxPeters]

Additionally, the output of kubevirt virt-launcher-testvm-xxx

compute {"component":"virt-launcher","level":"info","msg":"Found nameservers in /etc/resolv.conf: \n`\u0000\n","pos":"resolveconf.go:168","timestamp":"2025-09-12T14:56:12.142647Z"}                                                                                                                                      │
│ compute {"component":"virt-launcher","level":"info","msg":"Found search domains in /etc/resolv.conf: default.svc.cluster.local svc.cluster.local cluster.local host.example.org\u0000","pos":"resolveconf.go:169","timestamp":"2025-09-12T14:56:12.142709Z"}                                                            │
│ compute {"component":"virt-launcher","level":"info","msg":"Starting SingleClientDHCPServer","pos":"server.go:65","timestamp":"2025-09-12T14:56:12.142844Z"}                                                                                                                                                               │
│ compute {"component":"virt-launcher","level":"error","msg":"failed to run DHCP Server: Search domain is not valid: 'host.example.org\u0000'","pos":"common.go:190","timestamp":"2025-09-12T14:56:12.143023Z"}                                                                                                           │
│ compute panic: Search domain is not valid: 'host.example.org'