[Bug 2024009] Re: [PATCH] systemd-resolved can't follow more than 8 CNAMEs
Nick Rosbrook
2024009 at bugs.launchpad.net
Wed Jan 10 20:16:15 UTC 2024
I have verified the fix using systemd 245.4-4ubuntu3.23 from focal-
proposed.
On the host, I have a Focal container, and killed the existing DNS
servers:
nr at clean-jammy-amd64:~$ lxc list
+-------+---------+------+----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-------+---------+------+----------------------------------------------+-----------+-----------+
| focal | RUNNING | | fd42:b04:cc58:1a82:216:3eff:fe28:d8d9 (eth0) | CONTAINER | 0 |
+-------+---------+------+----------------------------------------------+-----------+-----------+
nr at clean-jammy-amd64:~$ systemctl stop systemd-resolved
nr at clean-jammy-amd64:~$ kill -9 $(pgrep dnsmasq)
Then, I start a new DNS server with a record which contains 10 CNAME
redirects:
nr at clean-jammy-amd64:~$ sudo dnsmasq --cname=test10.lan,test9.lan
--cname=test9.lan,test8.lan --cname=test8.lan,test7.lan
--cname=test7.lan,test6.lan --cname=test6.lan,test5.lan
--cname=test5.lan,test4.lan --cname=test4.lan,test3.lan
--cname=test3.lan,test2.lan --cname=test2.lan,test1.lan
--cname=test1.lan,test0.lan -k -i lxdbr0 -z -I lo --host-
record=test0.lan,192.168.122.143
...
In the container, I have systemd installed from focal-proposed, and I
was able to successfully make the query despite more than 8 CNAME
redirects:
root at focal:~# apt policy systemd
systemd:
Installed: 245.4-4ubuntu3.23
Candidate: 245.4-4ubuntu3.23
Version table:
*** 245.4-4ubuntu3.23 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
100 /var/lib/dpkg/status
245.4-4ubuntu3.22 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
245.4-4ubuntu3.20 500
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
245.4-4ubuntu3 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
root at focal:~# resolvectl query test10.lan
test10.lan: 192.168.122.143 -- link: eth0
(test0.lan)
-- Information acquired via protocol DNS in 70.3ms.
-- Data is authenticated: no
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2024009
Title:
[PATCH] systemd-resolved can't follow more than 8 CNAMEs
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Focal:
Fix Committed
Bug description:
[Impact]
Using systemd-resolved to resolve a hostname which has more than 8
CNAME redirects will fail because of the hard-coded limit. While this
case is somewhat rare, the original reporter demonstrated a real-world
scenario where this happened (although that particular hostname seems
to be fixed now).
[Test Plan]
This test plan uses a LXC container to test systemd-resolved on Focal.
If LXD has not been configured on your system, start with:
$ lxd init --auto
Then, create a Focal container with:
$ lxc launch ubuntu-daily:focal focal
Install dnsmasq-base if needed:
$ apt install dnsmasq-base
Stop other DNS servers:
$ systemctl stop systemd-resolved
$ kill -9 $(pgrep dnsmasq)
Now, on the host start a new DNS server that listens on lxdbr0, and
sets up an A record, and many CNAME records which ultimately redirect
to the A record:
$ dnsmasq \
--cname=test10.lan,test9.lan \
--cname=test9.lan,test8.lan \
--cname=test8.lan,test7.lan \
--cname=test7.lan,test6.lan \
--cname=test6.lan,test5.lan \
--cname=test5.lan,test4.lan \
--cname=test4.lan,test3.lan \
--cname=test3.lan,test2.lan \
--cname=test2.lan,test1.lan \
--cname=test1.lan,test0.lan \
-k -i lxdbr0 -z -I lo --host-record=test0.lan,$IP
where $IP is any host on your network.
Now, obtain a shell in the Focal container:
$ lxc exec focal bash
Attempt to resolve test10.lan:
$ resolvectl query test10.lan
test10.lan: resolve call failed: CNAME loop detected, or CNAME resolving disabled on 'test2.lan'
On an affected system, the above error will be seen. On a patched
system, the hostname should be resolved.
[Where problems could occur]
The patch simply increases the maximum CNAME redirects that are
allowed from 8 to 16, so a reasonable limit is still imposed. If an
application specifically relied on systemd-resolved's limit being at
8, then that application would potentially see new behavior.
[Original Description]
On Ubuntu 20.04 (systemd v245.4-4ubuntu3.21), hostname resolution only
follows 8 CNAME redirections maximum.
So when using a service like Azure Virtual Desktop that has between 9
and 12 redirections, name resolution fails.
$ host client.wvd.microsoft.com
Host client.wvd.microsoft.com not found: 2(SERVFAIL)
$ resolvectl query client.wvd.microsoft.com
client.wvd.microsoft.com: resolve call failed: CNAME loop detected, or CNAME resolving disabled on 'waws-prod-zrh-ff7172dd.sip.p.azurewebsites.windows.net'
On the other hand it's working fine on Ubuntu 20.04 because CNAME loop
limit has been raised from 8 to 16.
$ host client.wvd.microsoft.com
client.wvd.microsoft.com is an alias for client.privatelink-global.wvd.microsoft.com.
client.privatelink-global.wvd.microsoft.com is an alias for client.privatelink.wvd.microsoft.com.
client.privatelink.wvd.microsoft.com is an alias for rdweb.wvd.microsoft.com.
rdweb.wvd.microsoft.com is an alias for rdweb.privatelink-global.wvd.microsoft.com.
rdweb.privatelink-global.wvd.microsoft.com is an alias for rdweb.privatelink.wvd.microsoft.com.
rdweb.privatelink.wvd.microsoft.com is an alias for rdweb-prod-geo.trafficmanager.net.
rdweb-prod-geo.trafficmanager.net is an alias for mrs-chnor1c101-rdweb-prod.wvd-ase-chnor1c101-prod.p.azurewebsites.net.
mrs-chnor1c101-rdweb-prod.wvd-ase-chnor1c101-prod.p.azurewebsites.net is an alias for waws-prod-zrh-63daa049.sip.p.azurewebsites.windows.net.
waws-prod-zrh-63daa049.sip.p.azurewebsites.windows.net is an alias for waws-prod-zrh-63daa049.cloudapp.net.
waws-prod-zrh-63daa049.cloudapp.net has address 51.107.69.35
Here's a quick fix that raises the max CNAME limit from 8 to 16 like
it is in Ubuntu 22.04, it fixes the problem for me.
Best regards,
Vincent.
--- systemd-245.4.ORIG/src/resolve/resolved-dns-query.c 2023-06-15 16:58:25.454156663 +0200
+++ systemd-245.4/src/resolve/resolved-dns-query.c 2023-06-01 14:30:09.000000000 +0200
@@ -10,7 +10,7 @@
#include "resolved-etc-hosts.h"
#include "string-util.h"
-#define CNAME_MAX 8
+#define CNAME_MAX 16
#define QUERIES_MAX 2048
#define AUXILIARY_QUERIES_MAX 64
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: systemd 249.11-0ubuntu3.9 [modified: usr/lib/sysctl.d/50-default.conf]
ProcVersionSignature: Ubuntu 5.19.0-42.43~22.04.1-generic 5.19.17
Uname: Linux 5.19.0-42-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Thu Jun 15 16:53:19 2023
InstallationDate: Installed on 2022-11-22 (205 days ago)
InstallationMedia: Error: [Errno 13] Permission denied: '/var/log/installer/media-info'
MachineType: Dell Inc. Latitude 5591
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-42-generic root=/dev/mapper/AmadeUbuntu22-root ro apparmor=1 security=apparmor audit=1 acpi_rev_override load_nvme=YES nouveau.modeset=0 dis_ucode_ldr quiet splash
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: systemd
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/21/2022
dmi.bios.release: 1.25
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.25.0
dmi.board.name: 0DVVG1
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 10
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvr1.25.0:bd11/21/2022:br1.25:svnDellInc.:pnLatitude5591:pvr:rvnDellInc.:rn0DVVG1:rvrA00:cvnDellInc.:ct10:cvr:sku0819:
dmi.product.family: Latitude
dmi.product.name: Latitude 5591
dmi.product.sku: 0819
dmi.sys.vendor: Dell Inc.
modified.conffile..etc.cron.daily.apport: [deleted]
mtime.conffile..etc.systemd.journald.conf: 2022-11-22T13:40:37.558934
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2024009/+subscriptions
More information about the foundations-bugs
mailing list