Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

networkd-test.py fails with dnsmasq 2.80 in test_resolved_domain_restricted_dns #10487

Closed
mbiebl opened this issue Oct 22, 2018 · 14 comments · Fixed by #18666
Closed

networkd-test.py fails with dnsmasq 2.80 in test_resolved_domain_restricted_dns #10487

mbiebl opened this issue Oct 22, 2018 · 14 comments · Fixed by #18666
Labels
resolve tests
Milestone
v248

Comments

@mbiebl
Copy link
Contributor

mbiebl commented Oct 22, 2018

systemd version the issue has been seen with

v239
git master

Used distribution

Debian sid

This is from the downstream bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911408

After the update of dnsmasq from 2.79 to 2.80, the systemd autopkgtest fails for test/networkd-test.py.

Running git bisect on dnsmasq identified the following commit as the problematic one:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1682d15a744880b0398af75eadf68fe66128af78

commit 1682d15a744880b0398af75eadf68fe66128af78
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Aug 3 20:38:18 2018 +0100

    Add missing EDNS0 section.
    EDNS0 section missing in replies to EDNS0-containing queries where
    answer generated from --local=/<domain>/

Simon Kelley (the author of dnsmasq) replied at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911408#52

The failing test is

======================================================================
ERROR: test_resolved_domain_restricted_dns (__main__.DnsmasqClientTest)
resolved: domain-restricted DNS servers
----------------------------------------------------------------------
Traceback (most recent call last):
  File
"/tmp/autopkgtest-lxc.mecm2pp3/downtmp/build.egD/src/test/networkd-test.py",
line 583, in test_resolved_domain_restricted_dns
    out = subprocess.check_output(['systemd-resolve', 'math.lab'])
  File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.6/subprocess.py", line 418, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['systemd-resolve', 'math.lab']'
returned non-zero exit status 1.

----------------------------------------------------------------------
Ran 36 tests in 208.186s

FAILED (errors=1, skipped=2)

I can't really answer the questions Simon raised in the Debian bug report, so I'm filing this bug report here to get further input.
@mbiebl
Copy link
Contributor Author

mbiebl commented Oct 22, 2018

The problem should be easily reproducible via ./test/networkd-test.py DnsmasqClientTest.test_resolved_domain_restricted_dns

@mbiebl
Copy link
Contributor Author

mbiebl commented Oct 22, 2018

Fwiw, with 2.79 I get:

# resolvectl query kettle.cantina.company
kettle.cantina.company: 10.241.4.4

-- Information acquired via protocol DNS in 3.4ms.
-- Data is authenticated: no

With 2.80 I get

# resolvectl query kettle.cantina.company
kettle.cantina.company: resolve call failed: DNSSEC validation failed: no-signature

@mbiebl
Copy link
Contributor Author

mbiebl commented Oct 22, 2018

v2.80

# systemd-resolve math.lab
math.lab: 10.241.3.3

-- Information acquired via protocol DNS in 28.3ms.
-- Data is authenticated: no

Oct 22 17:07:51 debian systemd-resolved[7627]: Detected a negative query math.lab IN DS in a private DNS zone, permitting unsigned response.                                                                                            

# systemd-resolve kettle.cantina.company
kettle.cantina.company: resolve call failed: DNSSEC validation failed: no-signature

Oct 22 17:08:40 debian systemd-resolved[7627]: DNSSEC validation failed for question cantina.company IN DS: no-signature                                                                                                                
Oct 22 17:08:40 debian systemd-resolved[7627]: DNSSEC validation failed for question cantina.company IN SOA: no-signature                                                                                                               
Oct 22 17:08:40 debian systemd-resolved[7627]: DNSSEC validation failed for question kettle.cantina.company IN DS: no-signature                                                                                                         
Oct 22 17:08:40 debian systemd-resolved[7627]: DNSSEC validation failed for question kettle.cantina.company IN SOA: no-signature                                                                                                        
Oct 22 17:08:40 debian systemd-resolved[7627]: DNSSEC validation failed for question kettle.cantina.company IN A: no-signature

@mbiebl
Copy link
Contributor Author

mbiebl commented Nov 5, 2018

Simon Kelley, the dnsmasq author, claims this is an systemd-networkd issue.
@pfl any ideas?

@pfl
Copy link
Contributor

pfl commented Nov 5, 2018

@pfl any ideas?

Sorry, no ideas right now. I don't know enough of DNS to be able to help very quickly.

@mbiebl
Copy link
Contributor Author

mbiebl commented Nov 7, 2018
edited
Loading

running networkd-test.py with dnsmasq v2.79

# ps aux | grep dnsmasq
nobody   11520  0.0  0.3  25260  3332 pts/1    S+   23:10   0:00 dnsmasq --keep-in-foreground --log-queries --log-facility=/tmp/tmp3_id7zsx/dnsmasq.log --conf-file=/dev/null --dhcp-leasefile=/tmp/tmp3_id7zsx/dnsmasq.leases --bind-interfaces --interface=router_eth42 --except-interface=lo --dhcp-range=192.168.5.10,192.168.5.200 --address=/#/192.168.42.1
nobody   11531  0.0  0.3  25260  3316 pts/1    S+   23:10   0:00 dnsmasq --keep-in-foreground --log-queries --log-facility=/tmp/tmp3_id7zsx/dnsmasq-vpn.log --conf-file=/dev/null --dhcp-leasefile=/dev/null --bind-interfaces --interface=testvpnrouter --except-interface=lo --address=/math.lab/10.241.3.3 --address=/cantina.company/10.241.4.4


# resolvectl query kettle.cantina.company                                                                         
kettle.cantina.company: 10.241.4.4

-- Information acquired via protocol DNS in 3.6ms.
-- Data is authenticated: no

# cat /tmp/tmp3_id7zsx/dnsmasq-vpn.log
Nov  6 23:10:39 dnsmasq[11531]: started, version 2.79 cachesize 150
Nov  6 23:10:39 dnsmasq[11531]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Nov  6 23:10:39 dnsmasq[11531]: reading /etc/resolv.conf
Nov  6 23:10:39 dnsmasq[11531]: using nameserver 10.0.2.3#53
Nov  6 23:10:39 dnsmasq[11531]: read /etc/hosts - 4 addresses
Nov  6 23:17:38 dnsmasq[11531]: query[A] kettle.cantina.company from 10.241.3.1
Nov  6 23:17:38 dnsmasq[11531]: config kettle.cantina.company is 10.241.4.4
Nov  6 23:17:38 dnsmasq[11531]: query[A] kettle.cantina.company from 10.241.3.1
Nov  6 23:17:38 dnsmasq[11531]: config kettle.cantina.company is 10.241.4.4

# journalctl -u systemd-resolved

Nov 06 23:17:38 debian systemd-resolved[11545]: Using degraded feature set (UDP) for DNS server 10.241.3.1.
Nov 06 23:17:38 debian systemd-resolved[11545]: Server 10.241.3.1 does not support DNSSEC, downgrading to non-DNSSEC mode.

running networkd-test.py with dnsmasq v2.80

# ps aux | grep dnsmasq
nobody   13324  0.0  0.3  25280  3344 pts/1    S+   23:29   0:00 dnsmasq --keep-in-foreground --log-queries --log-facility=/tmp/tmpf3unvou5/dnsmasq.log --conf-file=/dev/null --dhcp-leasefile=/tmp/tmpf3unvou5/dnsmasq.leases --bind-interfaces --interface=router_eth42 --except-interface=lo --dhcp-range=192.168.5.10,192.168.5.200 --address=/#/192.168.42.1
nobody   13333  0.0  0.3  25280  3328 pts/1    S+   23:29   0:00 dnsmasq --keep-in-foreground --log-queries --log-facility=/tmp/tmpf3unvou5/dnsmasq-vpn.log --conf-file=/dev/null --dhcp-leasefile=/dev/null --bind-interfaces --interface=testvpnrouter --except-interface=lo --address=/math.lab/10.241.3.3 --address=/cantina.company/10.241.4.4

# resolvectl query kettle.cantina.company
kettle.cantina.company: resolve call failed: DNSSEC validation failed: no-signature

# cat /tmp/tmpf3unvou5/dnsmasq-vpn.log
Nov  6 23:29:09 dnsmasq[13333]: started, version 2.80 cachesize 150
Nov  6 23:29:09 dnsmasq[13333]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Nov  6 23:29:09 dnsmasq[13333]: reading /etc/resolv.conf
Nov  6 23:29:09 dnsmasq[13333]: using nameserver 10.0.2.3#53
Nov  6 23:29:09 dnsmasq[13333]: read /etc/hosts - 4 addresses
Nov  6 23:29:56 dnsmasq[13333]: query[A] kettle.cantina.company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: config kettle.cantina.company is 10.241.4.4
Nov  6 23:29:56 dnsmasq[13333]: query[SOA] kettle.cantina.company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: config kettle.cantina.company is NODATA
Nov  6 23:29:56 dnsmasq[13333]: query[DS] kettle.cantina.company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: config kettle.cantina.company is NODATA
Nov  6 23:29:56 dnsmasq[13333]: query[SOA] cantina.company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: config cantina.company is NODATA
Nov  6 23:29:56 dnsmasq[13333]: query[DS] cantina.company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: config cantina.company is NODATA
Nov  6 23:29:56 dnsmasq[13333]: query[SOA] company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: forwarded company to 10.0.2.3
Nov  6 23:29:56 dnsmasq[13333]: query[DNSKEY] company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: forwarded company to 10.0.2.3
Nov  6 23:29:56 dnsmasq[13333]: query[DS] company from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: forwarded company to 10.0.2.3
Nov  6 23:29:56 dnsmasq[13333]: query[DNSKEY] . from 10.241.3.1
Nov  6 23:29:56 dnsmasq[13333]: forwarded . to 10.0.2.3

# journalctl -u systemd-resolved
Nov 06 23:29:56 debian systemd-resolved[13349]: DNSSEC validation failed for question cantina.company IN DS: no-signature
Nov 06 23:29:56 debian systemd-resolved[13349]: DNSSEC validation failed for question cantina.company IN SOA: no-signature
Nov 06 23:29:56 debian systemd-resolved[13349]: DNSSEC validation failed for question kettle.cantina.company IN DS: no-signature
Nov 06 23:29:56 debian systemd-resolved[13349]: DNSSEC validation failed for question kettle.cantina.company IN SOA: no-signature
Nov 06 23:29:56 debian systemd-resolved[13349]: DNSSEC validation failed for question kettle.cantina.company IN A: no-signature

@mbiebl mbiebl added this to the v240 milestone Nov 15, 2018
@mbiebl
Copy link
Contributor Author

mbiebl commented Nov 15, 2018

dnsmasq 2.80 has been released on 18 October 2018. That means this issue will hit other distros sooner or later as well (probably sooner). I'd thus like to bump the visibility of this issue by adding it to the v240 milestone.

@mbiebl
Copy link
Contributor Author

mbiebl commented Dec 1, 2018

Another friendly ping.
Anyone around who is familiar with dnsmasq and networkd and can have a look at that?

@poettering
Copy link
Member

let's drop this from the milestone. it's difficult to test this when this isn't packaged yet on fedora. I mean, by all means, this is worth fixing, but I am not convinced we need to delay the release for that.

@poettering poettering modified the milestones: v240, v241 Dec 5, 2018
@mbiebl
Copy link
Contributor Author

mbiebl commented Dec 5, 2018

I was under the impression, Rawhide does ship 2.80.
http://mirror.23media.de/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/d/
https://src.fedoraproject.org/rpms/dnsmasq/c/d63c7d423ae5eb8c3b12741e8a3afef4f7d889df?branch=master

@poettering
Copy link
Member

yeah, but i don't run rawhide...

@mbiebl mbiebl modified the milestones: v241, v242 Jan 11, 2019
@mbiebl mbiebl mentioned this issue Feb 27, 2019
Merged
@poettering
Copy link
Member

Hmm, still not in f29, let's bump this.

@poettering poettering modified the milestones: v242, v243 Mar 26, 2019
@poettering poettering modified the milestones: v243, v244 Jul 13, 2019
@poettering poettering modified the milestones: v244, v245 Nov 15, 2019
@poettering poettering modified the milestones: v245, v246 Jan 14, 2020
@poettering poettering modified the milestones: v246, v247 Apr 23, 2020
@poettering poettering modified the milestones: v247, v248 Sep 17, 2020
poettering added a commit to poettering/systemd that referenced this issue Nov 18, 2020
@poettering
networkd-test: reenable dnssec while testing
0bc9ec3 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
@poettering poettering mentioned this issue Nov 18, 2020
Closed
poettering added a commit to poettering/systemd that referenced this issue Nov 18, 2020
@poettering
networkd-test: reenable dnssec while testing
9343332 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Nov 18, 2020
@poettering
networkd-test: reenable dnssec while testing
4ce2f52 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Nov 19, 2020
@poettering
networkd-test: reenable dnssec while testing
2348ad9 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Nov 20, 2020
@poettering
networkd-test: reenable dnssec while testing
e4bfa5a 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Dec 2, 2020
@poettering
networkd-test: reenable dnssec while testing
7b70b1a 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Dec 3, 2020
@poettering
networkd-test: reenable dnssec while testing
8621c88 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Dec 4, 2020
@poettering
networkd-test: reenable dnssec while testing
bf47346 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Dec 7, 2020
@poettering
networkd-test: reenable dnssec while testing
7660abd 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
poettering added a commit to poettering/systemd that referenced this issue Feb 17, 2021
@poettering
networkd-test: reenable dnssec while testing
c0c41ab 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: systemd#10487 systemd#5029
@poettering poettering mentioned this issue Feb 17, 2021
Merged
bluca pushed a commit that referenced this issue Feb 18, 2021
@poettering @bluca
networkd-test: reenable dnssec while testing
489344f 
We need to list the synthesized domains as NTAs, otherwise the DNSSEC
validation of course cannot succeed.

Fixes: #10487 #5029
@bluca
Copy link
Member

bluca commented May 5, 2023

I've been seeing this same issue occasionally in jammy for a few weeks now:

ERROR: test_resolved_domain_restricted_dns (__main__.DnsmasqClientTest)
resolved: domain-restricted DNS servers
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/autopkgtest.OTtxkk/build.NOz/systemd/test/networkd-test.py", line 680, in test_resolved_domain_restricted_dns
    out = subprocess.check_output(['resolvectl', 'query', 'math.lab'])
  File "/usr/lib/python3.10/subprocess.py", line 420, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.10/subprocess.py", line 524, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['resolvectl', 'query', 'math.lab']' returned non-zero exit status 1.

@yuwata @mrc0mmand any idea?

@bluca bluca reopened this May 5, 2023
@mbiebl mbiebl mentioned this issue Feb 28, 2024
Closed
@rpigott rpigott mentioned this issue Mar 1, 2024
Merged
@mbiebl
Copy link
Contributor Author

mbiebl commented Mar 1, 2024

Let's close this as well. I don't have a setup from 2018 anymore to test the changes from #31557

@mbiebl mbiebl closed this as completed Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolve tests
Milestone
v248
Development

Successfully merging a pull request may close this issue.

networkd-test: reenable dnssec while testing poettering/systemd
4 participants
@bluca @pfl @poettering @mbiebl