stub resolver generates incomplete CNAME replies

[yrro]

Submission type

• Bug report
• Request for enhancement (RFE)

systemd version the issue has been seen with

231

Used distribution

Debian

In case of bug report: Expected behaviour you didn't see

Unable to resolve webcache.googleuser.content.com, encrypted.google.com and wiki.freedesktop.org in Chromium, Firefox and with the ping and getent ahosts command.

In case of bug report: Unexpected behaviour you saw

Chromium gives ERR_NAME_NOT_RESOLVED and the other programs give similar errors.

Resolved itself seems happy:

$ systemd-resolve wiki.freedesktop.org
wiki.freedesktop.org: 131.252.210.176
                      2610:10:20:722:a800:ff:feda:470f
                      (annarchy.freedesktop.org)

-- Information acquired via protocol DNS in 2.4ms.
-- Data is authenticated: no

Debugging the DNS response:

$ dig @127.0.0.53 wiki.freedesktop.org
; <<>> DiG 9.10.3-P4-Debian <<>> +multi @127.0.0.53 wiki.freedesktop.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wiki.freedesktop.org.    IN A

;; ANSWER SECTION:
wiki.freedesktop.org. 2864 IN CNAME annarchy.freedesktop.org.

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jul 28 13:08:24 BST 2016
;; MSG SIZE  rcvd: 72

Looks like the corresponding RRs for the CNAME are missing from the response; they are present when I query other recursive DNS servers directly:

$ dig @8.8.8.8 wiki.freedesktop.org

; <<>> DiG 9.10.3-P4-Debian <<>> +multi @8.8.8.8 wiki.freedesktop.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49833
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wiki.freedesktop.org.    IN A

;; ANSWER SECTION:
wiki.freedesktop.org. 14399 IN CNAME annarchy.freedesktop.org.
annarchy.freedesktop.org. 14399   IN A 131.252.210.176

;; Query time: 178 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 28 13:11:11 BST 2016
;; MSG SIZE  rcvd: 88

In case of bug report: Steps to reproduce the problem

Start resolved. Configure the use of its stub resolver in /etc/resolv.conf. Try to visit one of those web sites.

[dongsupark]

@keszybz FYI this one was what I just mentioned.

[falconindy]

Would be nice to see this get some attention. Combined with 3539724, DNS resolution in nspawn chroots is pretty broken.

[tkarls]

What is the status of this one? It has been broken for quite some time now.

[tsimonq2]

It would be great if we could get a fix soon.

If I'm correct in reproducing, this is still a bug on a fully updated Ubuntu Zesty install (systemd 232), which recently switched to resolvd from dnsmasq. For now, I can just edit /etc/resolv.conf specifying Google's nameservers and it works fine again, but I'd rather not have to do that...

[andersk]

@tsimonq2 Yes, it is, and it makes the internet pretty much useless in Zesty (LP #1647031, LP #1647178, LP #1648037).

[falconindy]

Seems like this is actually two bugs.

1. resolved actively filters out A records from replies. No idea why, but removing this filtering makes it behave better. It's part of the original implementation, as well. @poettering? falconindy/systemd@8ca6665 trivially fixes this.
2. Even with the above commit, one still needs to disable caching, or else:

$ dig +short a @127.0.0.53 mirrors.rit.edu.
smoke.rc.rit.edu.
129.21.171.72
$ dig +short a @127.0.0.53 mirrors.rit.edu.
smoke.rc.rit.edu.

Debug output shows that the cache is storing both the CNAME and A records:

Added positive unauthenticated cache entry for mirrors.rit.edu IN CNAME 282s on */INET/8.8.8.8
Added positive unauthenticated cache entry for smoke.rc.rit.edu IN A 7200s on */INET/8.8.8.8

But then something on cache get, it seems to be confusing the presence of a CNAME with an A record...

Looking up RR for mirrors.rit.edu IN A.
Positive cache hit for mirrors.rit.edu IN A
Transaction 22757 for <mirrors.rit.edu IN A> on scope dns on */* now complete with <success> from cache (unsigned).

There exists no A record for mirrors.rit.edu cache if you're to believe the above log lines from the first query...

[warsaw]

@tsimonq2 If you install libnss-resolve, it apparently modifies /etc/nsswitch.conf to point at resolve before dns, so that is a workaround. However it'll still bite you in schroots.

[poettering]

Fix waiting in #5276.

[piotr-dobrogost]

I think I'm hitting this bug when trying to update with sudo dnf -v --refresh update. I get

Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=fedora-25&arch=x86_64': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-25&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org].
Error: Failed to synchronize cache for repo 'fedora'

dig @127.0.0.53 mirrors.fedoraproject.org returns

;; ANSWER SECTION:
mirrors.fedoraproject.org. 21   IN      CNAME   wildcard.fedoraproject.org.

dig @8.8.8.8 mirrors.fedoraproject.org returns

;; ANSWER SECTION:
mirrors.fedoraproject.org. 243  IN      CNAME   wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 3   IN      A       85.236.55.6
wildcard.fedoraproject.org. 3   IN      A       174.141.234.172
wildcard.fedoraproject.org. 3   IN      A       209.132.181.16
wildcard.fedoraproject.org. 3   IN      A       152.19.134.142
wildcard.fedoraproject.org. 3   IN      A       8.43.85.67
wildcard.fedoraproject.org. 3   IN      A       185.141.165.254
wildcard.fedoraproject.org. 3   IN      A       140.211.169.206
wildcard.fedoraproject.org. 3   IN      A       152.19.134.198
wildcard.fedoraproject.org. 3   IN      A       209.132.181.15
wildcard.fedoraproject.org. 3   IN      A       67.219.144.68

The only thing I don't get is why has dnf been working fine till now?