[Bug 1849733] Re: resolved incorrectly limits TCP reply to edns0 payload
Dan Streetman
ddstreet at canonical.com
Fri Oct 25 14:39:58 UTC 2019
** Description changed:
[impact]
glibc's getaddrinfo() uses EDNS0 to talk to resolved, and it sets its
payload limit to 1200. When the response is larger than 1200, resolved
will limit the response and set the truncate flag. This causes
getaddrinfo() to switch to TCP and request again, but glibc incorrectly
keeps the EDNS0 RR opt, with the same 1200 payload limit. Most dns
nameservers ignore EDNS0 payload limit for TCP, since per RFC it applies
only to UDP, but resolved does not and again marks the response as
truncated. This prevents getaddrinfo() from being able to resolve any
records with a response over 1200 bytes.
[test case]
use ping or telnet, which use getaddrinfo(), to lookup an A record with
a lot of results, like toomany100.ddstreet.org
$ telnet toomany100.ddstreet.org
telnet: could not resolve toomany100.ddstreet.org/telnet: Temporary failure in name resolution
[regression potential]
any regression would likely result in failure to correctly lookup a
hostname or to provide the correct response to a local client.
[other info]
+
+ note that on Bionic, this also requires backporting TCP pipelining
+ support in the stub resolver.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1849733
Title:
resolved incorrectly limits TCP reply to edns0 payload
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Bionic:
In Progress
Status in systemd source package in Disco:
In Progress
Status in systemd source package in Eoan:
Fix Released
Bug description:
[impact]
glibc's getaddrinfo() uses EDNS0 to talk to resolved, and it sets its
payload limit to 1200. When the response is larger than 1200,
resolved will limit the response and set the truncate flag. This
causes getaddrinfo() to switch to TCP and request again, but glibc
incorrectly keeps the EDNS0 RR opt, with the same 1200 payload limit.
Most dns nameservers ignore EDNS0 payload limit for TCP, since per RFC
it applies only to UDP, but resolved does not and again marks the
response as truncated. This prevents getaddrinfo() from being able to
resolve any records with a response over 1200 bytes.
[test case]
use ping or telnet, which use getaddrinfo(), to lookup an A record
with a lot of results, like toomany100.ddstreet.org
$ telnet toomany100.ddstreet.org
telnet: could not resolve toomany100.ddstreet.org/telnet: Temporary failure in name resolution
[regression potential]
any regression would likely result in failure to correctly lookup a
hostname or to provide the correct response to a local client.
[other info]
note that on Bionic, this also requires backporting TCP pipelining
support in the stub resolver.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1849733/+subscriptions
More information about the foundations-bugs
mailing list