Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine DNS resolver features independent from actual queries #9384

Open
ott opened this issue Jun 22, 2018 · 1 comment
Open

Determine DNS resolver features independent from actual queries #9384

ott opened this issue Jun 22, 2018 · 1 comment
Labels
resolve

Comments

@ott
Copy link
Contributor

ott commented Jun 22, 2018

systemd-resolved determines features that are supported by an upstream DNS resolver and adjusts its query behaviour accordingly. So, for example, if an upstream resolver supports TCP, systemd-resolved sends queries over TCP. At the moment it adjusts the supported features under one of the following conditions:

  • A query timeout occurs.
  • A response with its RCODE set to FormErr, ServFail or NotImp is received.
  • A TCP connection could not be established.
  • A TLS connection could not be established.
  • A response with an invalid OPT RR is received.
  • A response with a missing RRSIG RR is received, although the DO bit is set.
  • A truncated response is received.

Some of these conditions are incorrect. For example, a query timeout can occur under many conditions and ServFail can be returned under many circumstances that do not imply that the resolver does not support a certain feature. It was reported multiple times, for example, that systemd-resolved unnecessarily degrades the feature level and becomes unusable, if DNSSEC validation is enabled and the upstream resolver returns ServFail because a query timeout occurred.

Therefore it seems best to determine the supported features independent from the actual queries that systemd-resolved forwards to upstream resolvers. One possibility would be to send probe queries with an empty question section or queries for the SOA RR of the root zone. However, it might be possible that some broken resolvers don't understand an empty question section or SOA RRs. So one open question is what a probe query should contain.

And of course it would still make sense to use feedback from actual queries, for example, if a TCP connection failed.

Moreover, the current feature level state diagram seems questionable to me. If I'm not mistaken, there are multiple orthogonal and independent features:

  • TCP support
  • DNS over TLS support
  • EDNS0 support and supported options

It seems best to first determine whether queries over TCP are supported. This makes it easier to determine whether the upstream resolver did not reply because it can't be lost. Then support for EDNS0 and the various EDNS0 options can be determined. Last should be DNS over TLS to be able validate the resolvers certificate. If TCP is not supported there should be some timeout and retransmission algorithm. Perhaps it easiest to use some variant of RFC 6298.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolve
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ott @yuwata