stub resolver generates incomplete CNAME replies #3826

Closed
yrro opened this Issue Jul 28, 2016 · 9 comments

Comments

Projects
None yet
9 participants

yrro commented Jul 28, 2016

Submission type

  • Bug report
  • Request for enhancement (RFE)

systemd version the issue has been seen with

231

Used distribution

Debian

In case of bug report: Expected behaviour you didn't see

Unable to resolve webcache.googleuser.content.com, encrypted.google.com and wiki.freedesktop.org in Chromium, Firefox and with the ping and getent ahosts command.

In case of bug report: Unexpected behaviour you saw

Chromium gives ERR_NAME_NOT_RESOLVED and the other programs give similar errors.

Resolved itself seems happy:

$ systemd-resolve wiki.freedesktop.org
wiki.freedesktop.org: 131.252.210.176
                      2610:10:20:722:a800:ff:feda:470f
                      (annarchy.freedesktop.org)

-- Information acquired via protocol DNS in 2.4ms.
-- Data is authenticated: no

Debugging the DNS response:

$ dig @127.0.0.53 wiki.freedesktop.org
; <<>> DiG 9.10.3-P4-Debian <<>> +multi @127.0.0.53 wiki.freedesktop.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4615
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wiki.freedesktop.org.    IN A

;; ANSWER SECTION:
wiki.freedesktop.org. 2864 IN CNAME annarchy.freedesktop.org.

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jul 28 13:08:24 BST 2016
;; MSG SIZE  rcvd: 72

Looks like the corresponding RRs for the CNAME are missing from the response; they are present when I query other recursive DNS servers directly:

$ dig @8.8.8.8 wiki.freedesktop.org

; <<>> DiG 9.10.3-P4-Debian <<>> +multi @8.8.8.8 wiki.freedesktop.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49833
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wiki.freedesktop.org.    IN A

;; ANSWER SECTION:
wiki.freedesktop.org. 14399 IN CNAME annarchy.freedesktop.org.
annarchy.freedesktop.org. 14399   IN A 131.252.210.176

;; Query time: 178 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 28 13:11:11 BST 2016
;; MSG SIZE  rcvd: 88

In case of bug report: Steps to reproduce the problem

Start resolved. Configure the use of its stub resolver in /etc/resolv.conf. Try to visit one of those web sites.

@poettering poettering added the resolve label Jul 29, 2016

@poettering poettering added this to the v232 milestone Jul 29, 2016

@poettering poettering added the bug label Jul 29, 2016

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Jul 31, 2016

sys-apps/systemd: disable resolv.conf warning
systemd-resolved currently returns broken responses via 127.0.0.53.

Bug: systemd/systemd#3826
Contributor

dongsupark commented Sep 30, 2016

@keszybz FYI this one was what I just mentioned.

@poettering poettering changed the title from stub resolver can't resolve particular names to stub resolver generates incomplete CNAME replies Oct 5, 2016

@poettering poettering modified the milestones: v233, v232 Oct 20, 2016

Contributor

falconindy commented Nov 9, 2016

Would be nice to see this get some attention. Combined with 3539724, DNS resolution in nspawn chroots is pretty broken.

tkarls commented Dec 1, 2016

What is the status of this one? It has been broken for quite some time now.

It would be great if we could get a fix soon.

If I'm correct in reproducing, this is still a bug on a fully updated Ubuntu Zesty install (systemd 232), which recently switched to resolvd from dnsmasq. For now, I can just edit /etc/resolv.conf specifying Google's nameservers and it works fine again, but I'd rather not have to do that...

andersk commented Dec 10, 2016

@tsimonq2 Yes, it is, and it makes the internet pretty much useless in Zesty (LP #1647031, LP #1647178, LP #1648037).

Contributor

falconindy commented Dec 14, 2016

Seems like this is actually two bugs.

  1. resolved actively filters out A records from replies. No idea why, but removing this filtering makes it behave better. It's part of the original implementation, as well. @poettering? falconindy/systemd@8ca6665 trivially fixes this.
  2. Even with the above commit, one still needs to disable caching, or else:
$ dig +short a @127.0.0.53 mirrors.rit.edu.
smoke.rc.rit.edu.
129.21.171.72
$ dig +short a @127.0.0.53 mirrors.rit.edu.
smoke.rc.rit.edu.

Debug output shows that the cache is storing both the CNAME and A records:

Added positive unauthenticated cache entry for mirrors.rit.edu IN CNAME 282s on */INET/8.8.8.8
Added positive unauthenticated cache entry for smoke.rc.rit.edu IN A 7200s on */INET/8.8.8.8

But then something on cache get, it seems to be confusing the presence of a CNAME with an A record...

Looking up RR for mirrors.rit.edu IN A.
Positive cache hit for mirrors.rit.edu IN A
Transaction 22757 for <mirrors.rit.edu IN A> on scope dns on */* now complete with <success> from cache (unsigned).

There exists no A record for mirrors.rit.edu cache if you're to believe the above log lines from the first query...

@Mic92 Mic92 referenced this issue in NixOS/nixpkgs Dec 15, 2016

Closed

[WIP] nsswitch: use libnss_resolve if resolved is enabled #21178

0 of 7 tasks complete

warsaw commented Jan 4, 2017

@tsimonq2 If you install libnss-resolve, it apparently modifies /etc/nsswitch.conf to point at resolve before dns, so that is a workaround. However it'll still bite you in schroots.

poettering added a commit to poettering/systemd that referenced this issue Feb 8, 2017

resolved: follow CNAMES for DNS stub replies
Clients expect us to follow CNAMEs for them, hence do so. On the first
iteration start putting together a packet, and then keep adding data we
acquire through CNAMEs to it, until we finally send it off.

Fixes: #3826
Owner

poettering commented Feb 8, 2017

Fix waiting in #5276.

@poettering poettering added the has-pr label Feb 8, 2017

I think I'm hitting this bug when trying to update with sudo dnf -v --refresh update. I get

Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=fedora-25&arch=x86_64': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.fedoraproject.org/metalink?repo=fedora-25&arch=x86_64 [Could not resolve host: mirrors.fedoraproject.org].
Error: Failed to synchronize cache for repo 'fedora'

dig @127.0.0.53 mirrors.fedoraproject.org returns

;; ANSWER SECTION:
mirrors.fedoraproject.org. 21   IN      CNAME   wildcard.fedoraproject.org.

dig @8.8.8.8 mirrors.fedoraproject.org returns

;; ANSWER SECTION:
mirrors.fedoraproject.org. 243  IN      CNAME   wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 3   IN      A       85.236.55.6
wildcard.fedoraproject.org. 3   IN      A       174.141.234.172
wildcard.fedoraproject.org. 3   IN      A       209.132.181.16
wildcard.fedoraproject.org. 3   IN      A       152.19.134.142
wildcard.fedoraproject.org. 3   IN      A       8.43.85.67
wildcard.fedoraproject.org. 3   IN      A       185.141.165.254
wildcard.fedoraproject.org. 3   IN      A       140.211.169.206
wildcard.fedoraproject.org. 3   IN      A       152.19.134.198
wildcard.fedoraproject.org. 3   IN      A       209.132.181.15
wildcard.fedoraproject.org. 3   IN      A       67.219.144.68

The only thing I don't get is why has dnf been working fine till now?

@keszybz keszybz closed this in e8d23f9 Feb 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment