-
-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolving records through more than 8 CNAME fails due to hardcoded MAX_RESTART_COUNT #438
Comments
I've hit this same issue. It prevents me (and anybody using Unbound) from setting up a Windows device with their Microsoft Account (MSA). logincdn.msauth.net, used during MSA authentication has 9 CNAME records (see
|
I have hit this too, which makes LinkedIn inaccessible at times. Sometimes their CDN, static-exp1.licdn.com sometimes resolves through this chain (but not always):
|
Failures I ran into with this for the sake of anyone else confused:
Granted those are Microsoft Windows problems but 8 is arbitrarily low for a cheap way to prevent CNAME loops. The only workaround I've found beyond hardcoding microsoft's IPs is to not use unbound. |
I hit this issue too, with Unbound 1.13.1 on OPNsense. The strange thing is, Unbound does sometimes resolve the domain successfully, but querying immediately afterwards fails again. Based on level 5 logs, I believe the difference is that it succeeds when its cache is empty, and fails when it find the CNAME chain in its cache. Amusingly, for
|
@Arnavion It certainly would change from place to place, as that is what a CDN is designed for. In the case of LinkedIn, it will even change throughout the day for me, from a 3-name chain to a 8+ name chain. So...there are certain times of the day LinkedIn will fail to work for me. :) |
Yes, it's just that on a few other forums I saw people wondering why something as fundamental as It doesn't help that there are also a few red herrings on the internet, because some people claim they got it working by disabling qname-minimisation, but at least for me doing that doesn't make any difference. |
Naturally there are other names besides |
Hi, However we would not like to introduce a configuration option for that since this will only solve the problem for users that mess with the value. The proper solution is for domains to check their CNAME chains because different resolvers have different strategies and limits on how to deal with CNAME chains/query restarts. |
@gthess Could we raise it to something like 20? I know that sounds high, but it should still resolve pretty fast, most places won't do this, caching should mitigate when it does happen, and it will keep this bug from recurring too soon. :) |
I am reluctant to go that "high". For legitimate purposes that should work fine. But since Unbound does not trust CNAME chains and goes and asks for each record itself, the illegitimate/DoS purposes are what we don't want to enable. |
@gthess Yeah, I fully understand that. We are currently dealing with this bug because we never thought someone would make a CNAME chain this long. To prevent this from coming up in the future, I would think we'd either need to make it a high number, or make it configurable so it's an easy work around if something "stupid" happens in the future. Right now, there are a LOT Of downstream users that can't (or don't know how) to upgrade because they use unbound in a project such as PFSense. The bug won't be fixed for them until a fix is released...and then PFSense upgrades the package. A configuration option would let users mitigate this in the future. |
Can someone provide reasoning why anyone would need such long CNAME chains? To me this sounds like the mistake was on that side. Perhaps it's a bit unfortunate that the protocol does not standardize a particular global limit; I agree you don't want a (web) service telling all their users to reconfigure their DNS. |
With regard to why this change might be helpful - if you're in a situation (like I was) where you're maintaining a system that uses unbound (like PFSense) and swapping out the package for a custom build isn't particularly easy or well supported then you're forced to use another DNS resolver altogether to get unblocked. One of the reasons why I thought this would be valuable to have as a configuration option is to avoid defaulting everyone into a higher count just to cover the few cases where it could help but give people that have identified the problem a way to work around it. Part of this discussion has become what it should be increased to and while that might help for the next instance I think that would just be kicking the can down the road. There's still a good reason to have a limit; even without cycles in the resolution it would be possible to create a domain to DOS a resolver by cycling through an absurdly long CNAME chain so having a limit makes sense. But making that limit have the ability to override it in config would have allowed me to be unblocked while waiting for the service to be fixed. I'd very much like #461 to be adopted; all of the defaults could remain in place to not cause new behavior for existing deployments but the next time I get into this state because someone did an unusual DNS configuration (very easy to accidentally do) and only tested it in a few configurations then I can still unblock myself. |
@vcunat Some CDN systems will configure a very long CNAME chain as part of their normal operation. See the LinkedIn example above. |
(For anyone who was tracking this issue because of
|
This issue is very annoying, at least make it possible to be changed in configuration rather than hardcoded. Yes, long chain of CNAME probably is not a good design, but we can't just simply ask Akamai, Microsoft, Apple, other companies or CDN and Cloud companies say hey my software is not compatible with your design, can you change your design? Chances are the answer will be: No, why others are fine, only you are complaining, and no, we will not change our design for minor users who is having issue with their own software. Just switch to another software that works. So, please make this a configuration parameter rather than hardcoded. |
Hi all, Thanks for your input. Since this is the first time we get something similar regarding CNAME chain length, we are reluctant to jump to a configuration option at this moment. |
I'm not sure which one you are referencing as fixed, but for me, the LinkedIn one (static-exp1.licdn.com) will fluctuate between a 3-long chain and an 8-long chain, meaning sometimes I can access LinkedIn and sometimes i can't. :) |
I had the same issue today in pfsense 2.5.2 against the microsoft fqdn content.powerapps.com. |
I've run into an edge case where a name passed through 9 CNAMEs (and 10 total resolutions to get the final answer). Because
MAX_RESTART_COUNT
is hardcoded there's no way to tune the configuration to work around this situation.The original bug report is in the pfSense bug tracker here where detailed traces from
drill
are available.The text was updated successfully, but these errors were encountered: