[Bug 1717015] Re: libc resolver stops searching domain search list after getting back NSEC record

Jonathan Kamens jik at kamens.brookline.ma.us
Thu Sep 21 12:17:26 UTC 2017 

The host name jik5.kamens.us exists:

>$ host jik5.kamens.us
>jik5.kamens.us has address 146.115.42.232

Just to be clear, that's a DNS record, not a local entry in /etc/hosts.
To prove that, here's the last few lines of the output of `dig
jik5.kamens.us +trace`:

>jik5.kamens.us.         1800    IN      A       146.115.42.232
>kamens.us.              1800    IN      NS      dns2.registrar-servers.com.
>kamens.us.              1800    IN      NS      dns1.registrar-servers.com.
>;; Received 118 bytes from 216.87.152.33#53(dns2.registrar-servers.com) in 47 ms

I run a local named. When this is in my /etc/resolv.conf:

>nameserver 127.0.0.1
>search quantopian.com kamens.us

...here's what I get when I run "ping jik5":

>$ ping jik5
>ping: jik5: Name or service not known

And here's what happens when I reverse the order of the domains on the
"search" line in /etc/resolv.conf and list kamens.us first:

>$ ping jik5
>PING jik5.kamens.us (146.115.42.232) 56(84) bytes of data.
>64 bytes from 146-115-42-232.s5094.c3-0.abr-ubr1.sbo-abr.ma.cable.rcncustomer.com (146.115.42.232): icmp_seq=1 ttl=64 time=0.371 ms
>...

I've attached the packet capture resulting from the first lookup above,
i.e., the one when quantopian.com is listed first in /etc/resolv.conf.


** Attachment added: "lookup.pcapng"
   https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1717015/+attachment/4954293/+files/lookup.pcapng

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1717015

Title:
  libc resolver stops searching domain search list after getting back
  NSEC record

Status in glibc package in Ubuntu:
  New

Bug description:
  Suppose that:

  1. you have a "search" line in your /etc/resolv.conf file;
  2. it has two domains in it; and
  3. the first of the two domains does DNSSEC, including returning NSEC records for nonexisting hosts.

  In this situation, when you try to look up a host name in the second
  domain without specifying the domain part of the host name, the libc
  resolver will stop after it gets back the NSEC record and report that
  the host name doesn't exist, rather than moving on to the second
  domain in the search list and searching for the host in that domain.

  See also https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1717014
  .

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: libc6 2.24-9ubuntu2.2
  ProcVersionSignature: Ubuntu 4.10.0-33.37-generic 4.10.17
  Uname: Linux 4.10.0-33-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.5
  Architecture: amd64
  CurrentDesktop: Unity:Unity7
  Date: Wed Sep 13 16:00:45 2017
  Dependencies:
   gcc-6-base 6.3.0-12ubuntu2
   libc6 2.24-9ubuntu2.2
   libgcc1 1:6.3.0-12ubuntu2
  InstallationDate: Installed on 2016-08-09 (400 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
  SourcePackage: glibc
  UpgradeStatus: Upgraded to zesty on 2017-04-19 (147 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1717015/+subscriptions

More information about the foundations-bugs mailing list