[Bug 1854976] Re: systemd-resolved doesn't work with "host -l" / AXFR queries

ghomem 1854976 at bugs.launchpad.net
Wed Dec 4 02:48:13 UTC 2019 

Hi,

I work with Jose Manuel Santamaria Lema.

Thank you for taking your time to review.

Perhaps we should be a little cautious in regards what we call "normal"
and "reasonable". During the last 20+ years of Linux people able were to
do "host -l" against servers that were configured to allow so - for
example internal name servers that are authoritative for local (LAN
related) domains - using directly the local resolver

I would call the ability to do such queries "normal" and "reasonable"
because it has been common practice during the last 20+ years. Yesterday
was the first time that I have seen the possibility of such queries not
working (20.04 early builds). Linux Torvalds usually says "we don't
break user space" when changes in the kernel cause problems on user
space applications that have certain expectations regarding how the
kernel behaves because tradition is some kind of jurisprudence. I feel
this is kind of the same situation.

Apart from common practice we could think of other criteria for deciding
this. For example what the RFCs say. I am by no mean a DNS authority -
please feel free to correct me if I am wrong. Digging little bit I found
this:

----

An AXFR query is sent by a client whenever there is a reason to ask.
   This might be because of scheduled or triggered zone maintenance
   activities (see Section 4.3.5 of RFC 1034 and DNS NOTIFY [RFC1996],
   respectively) or as a result of a command line request, say for
   debugging.

----

Note that it mentions debugging and that ubuntu users are not the
average computer "end users" but often a more technical crowd that uses
computers to configure and debug. Also, the document refers to
"resolvers and servers" and doesn't say AXFR queries are exclusive to
authoritative servers.

In that context, does not seek like an accident that it worked with
dnsmasq - seems the dnsmasq implemented the feature, like bind and
others do.

Reference:

https://tools.ietf.org/html/rfc5936

Lastly, I would say that the decision to downgrade or not the local
resolver should come from Ubuntu, rather than systemd. This might not be
an "end of the world" situation but still it is a regression that should
be assessed, with gains and losses from the resolver change fairly
weighted.

Thank you,

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1854976

Title:
  systemd-resolved doesn't work with "host -l" / AXFR queries

Status in systemd package in Ubuntu:
  New

Bug description:
  Hello,

  some time ago network-manager in Ubuntu switched from dnsmasq to
  systemd-resolved.

  When network-manager used dnsmasq to handle DNS, one could use "host
  -l" to list all the hosts in a DNS zone, something like this:

  $ host -l mydomain.lan
  mydomain.lan name server mydns.mydomain.lan
  host1.mydomain.lan has address x.x.x.x
  host2.mydomain.lan has address x.x.x.x
  host3.mydomain.lan has address x.x.x.x
  host4.mydomain.lan has address x.x.x.x
  [...]

  That, unfortunately, no longer works since the switch to systemd-resolved, it always fails like this:
  $ host -l mydomain.lan
  Host mydomain.lan not found: 4(NOTIMP)
  ; Transfer failed.

  And I think that's because systemd-resolved is "filtering" the AXFR
  queries issued by "host -l" (I checked the network traffic with tcdump
  and that "NOTIMP" comes from the loopback interface).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1854976/+subscriptions

More information about the foundations-bugs mailing list