dyndns update fails when no search domain is configured

[glorang]

Stumbled upon the following today:

• Fedora 36 with SSSD 2.7.3-1.fc36
• Joined in Microsoft Windows AD
• Static IP configured via Network Manager GUI

sssd.conf extract:

ad_hostname = mymachine.domain.com
dyndns_update = true
dyndns_update_ptr = true

This results in following error (sssd -i -d10):

(2022-08-24 18:08:37): [be[domain.com]] [be_ptask_execute] (0x0400): Task [Dyndns update]: executing task, timeout 86400 seconds
(2022-08-24 18:08:37): [be[domain.com]] [ad_dyndns_update_send] (0x0400): Performing update
(2022-08-24 18:08:37): [be[domain.com]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2022-08-24 18:08:37): [be[domain.com]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2022-08-24 18:08:37): [be[domain.com]] [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::de1d:6a92:9b5c:db0b
(2022-08-24 18:08:37): [be[domain.com]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2022-08-24 18:08:37): [be[domain.com]] [resolv_is_address] (0x4000): [mymachine.domain.com] does not look like an IP address
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'mymachine.domain.com' in DNS
(2022-08-24 18:08:37): [be[domain.com]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2022-08-24 18:08:37): [be[domain.com]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2022-08-24 18:08:37): [be[domain.com]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(2022-08-24 18:08:37): [be[domain.com]] [request_watch_destructor] (0x0400): Deleting request watch
(2022-08-24 18:08:37): [be[domain.com]] [resolv_is_address] (0x4000): [mymachine.domain.com] does not look like an IP address
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'mymachine.domain.com' in DNS
(2022-08-24 18:08:37): [be[domain.com]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2022-08-24 18:08:37): [be[domain.com]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2022-08-24 18:08:37): [be[domain.com]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2022-08-24 18:08:37): [be[domain.com]] [request_watch_destructor] (0x0400): Deleting request watch
(2022-08-24 18:08:37): [be[domain.com]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(2022-08-24 18:08:37): [be[domain.com]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [8]: Misformatted domain name
(2022-08-24 18:08:37): [be[domain.com]] [nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed: [5]: [Input/output error]
(2022-08-24 18:08:37): [be[domain.com]] [sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of current addresses [5]: Input/output error
(2022-08-24 18:08:37): [be[domain.com]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error
(2022-08-24 18:08:37): [be[domain.com]] [sdap_id_op_destroy] (0x4000): releasing operation connection

Some debugging later I found out this is because the search domain parameter in /etc/resolv.conf is set to a dot by default, e.g.

nameserver 127.0.0.53
options edns0 trust-ad
search .

Setting a valid search domain via Domains=domain.com in /etc/systemd/resolved.conf or nmcli connection modify "Wired connection 1" IPv4.dns-search "domain.com" fixes this issue.

Since we specify a valid FQDN in /etc/sssd/sssd.conf via the ad_hostname parameter I'd say this is a bug in SSSD but I leave it to you if this is a bug, a wontfix or enhancement. Thought I'd report it anyway.

I agree it's a weird edge case to configure the dyndns options with a static IP. It's a VM we use to simulate end-user workstations and we prefer to give all our VMs a static IP.

[ripcord]

I can confirm this issue, I ran into this very problem on an Ubuntu 22.04 VM with the following details:

$ uname -r
5.15.0-58-generic
$ sssd --version
2.6.3
$

[yrro]

I'm seeing this too on Fedora 37 with sssd-2.8.2-1.fc37.x86_64. I'm using the ipa provider rather than ad but the log messages are the same:

[nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [8]: Misformatted domain name

And the same workaround 'reconfigure the NM connection with ipv4.dns-search set to ipa.example.com, then nmcli dev reapply enp4s0 and systemctl restart sssd results in working DNS updates again.

[yrro]

Still seeing this with sssd-2.9.1-1.fc38.x86_64.

(Memo to self: set ipv4.dns-search to something and restart SSSD and it will retry a dyndns update. But it won't log anything in the default log level of 2 if it's successful, only if it fails. So set debug_level to 3 or higher to see logs for the successful attempt; to see the actual input given to nsupdate, use log level 6.)

[yrro]

Systemd doesn't want to fix this, so it's up to sssd to cope with search . in resolv.conf...

[sumit-bose]

Hi,

can you try if setting

dns_resolver_use_search_list = False

to the [domain/...] section of sssd.conf helps?

bye,
Sumit

[yrro]

dns_resolver_use_search_list = False

Thanks, this works!

# grep ^search /etc/resolv.conf
search .

Selected log messagse:

(2023-08-25 14:38:40): [be[ipa.example.com] [ipa_dyndns_update_send] (0x0400): Performing update
(2023-08-25 14:38:40): [be[ipa.example.com]] [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, will perform an update
(2023-08-25 14:38:40): [be[ipa.example.com]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.

(The will perform an update message was not logged before, so if you see it in the log messages then you are not affected by this bug).

[sumit-bose]

Hi,

thanks for testing, so it looks like the issue is in c-ares, the resolver library SSSD is using. Maybe you can open a ticket at https://github.com/c-ares/c-ares/issues to see what the c-ares developers think about this?

bye,
Sumit

[yrro]

I'll do that but I'm not able to reproduce the problem with the following code. I get:

$ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .

$ make ares-test CFLAGS=-g LDLIBS=-lcares
cc -g    ares-test.c  -lcares -o ares-test

$ ./ares-test $HOSTNAME
mymachine.domain.com: 192.0.2.2

I'm different from what SSSD does by calling ares_init intead of ares_init_options, because I think the default options cause resolv.conf's search and domains options to be respected and I don't think the other options should affect the test.

#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>

#include <ares.h>

void cb(void *arg, int status, int timeouts, unsigned char *abuf, int alen) {
    if (status != 0) {
        fprintf(stderr, "ares_search -> %s\n", ares_strerror(status));
        return;
    }

    int r;
    struct hostent *host;
    if ((r = ares_parse_a_reply(abuf, alen, &host, NULL, NULL)) != 0) {
        fprintf(stderr, "ares_parse_a_reply: %s\n", ares_strerror(r));
        return;
    }

    for (char** addr = host->h_addr_list; *addr; addr++) {
        struct in_addr ina;
        memcpy(&ina, *addr, host->h_length);
        printf("%s: %s\n", host->h_name, inet_ntoa(ina));
    }

    ares_free_hostent(host);
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fputs("provide a hostname\n", stderr);
        return 1;
    }
    const char *name = argv[1];

    int r, stat;
    ares_channel chan;
    if ((r = ares_init(&chan)) != 0 ) {
        fprintf(stderr, "ares_init: %s\n", ares_strerror(r));
        return 1;
    }

    ares_search(chan, name, ns_c_in, ns_t_a, cb, NULL);
    for(;;) {
        int nfds;
        fd_set readers, writers;
        FD_ZERO(&readers);
        FD_ZERO(&writers);
        nfds = ares_fds(chan, &readers, &writers);
        if (nfds == 0)
            break;
        struct timeval tv, *tvp;
        tvp = ares_timeout(chan, NULL, &tv);
        int fd = select(nfds, &readers, &writers, NULL, tvp);
        if (fd == -1) {
            fprintf(stderr, "select: %s\n", strerror(errno));
            stat = 1;
            break;
        }
        ares_process(chan, &readers, &writers);
    }

out:
    ares_destroy(chan);
    return stat;
}

// vim: ts=8 sts=4 sw=4 et

[sumit-bose]

Hi,

I think it depends if c-ares has to add the search domain from /etc/resolv.conf or not. If the given name is fully-qualified, or at least has a . and some domain components, c-ares will try this input first and if nothing was found if will add what is given in search. Can you please try with a fully-qualified name that does not exist in DNS or a shortname?

bye,
Sumit

[yrro]

Ok, I get

$ ./ares-test nxdomain.eeeeee
ares_search -> Misformatted domain name

$ ./ares-test mymachine
ares_search -> Misformatted domain name

If I remove search . from /etc/resolv.conf then I get:

$ ./ares-test mymachine
ares_search -> Domain name not found

$ ./ares-test nxdomain.eeeeee
ares_search -> Domain name not found

So I guess this demonstrates the bug. I can file that with c-ares.

(What I don't understand is why, if search . does not affect the resolution of FQDNs, why sssd is affected...)

[yrro]

(What I don't understand is why, if search . does not affect the resolution of FQDNs, why sssd is affected...)

Wait, I see. If the DNS entry for a host hasn't been created, of course this will break sssd.

If the DNS entry for a host does exist, but has the wrong address, maybe sssd isn't broken in this case, I guess I never checked. I'll test that and report back...

[yrro]

This issue could be closed since the bug is really in c-ares.

[sumit-bose]

This issue could be closed since the bug is really in c-ares.

Hi,

thanks for letting us know. I'll close the ticket.

bye,
Sumit

[yrro]

FYI, the fix in c-ares was released in version 1.20.0.

[sumit-bose]

FYI, the fix in c-ares was released in version 1.20.0.

Hi,

great, thanks for your help on this.

bye,
Sumit

[brasky]

This issue helped me figure out an incredible niche issue after switching from centos to ubuntu and having our dynamic dns entries expire after our refresh interval elapsed. After the entry got scavenged from dns it was then able to refresh itself...

Unfortunately 1.20 of libc-ares2 is not available on the latest LTS of ubuntu...

Just wanted to say thank you to both of you for this investigation it saved me a huge amount of time.