[Bug 1785383] Re: missing EDNS0 record confuses systemd-resolved

Wed Dec 11 18:16:45 UTC 2019

> although from comment #4 it sounds like it might be a regression
caused by a security fix.

it's not a security fix, it's a patch to get resolved working with specific broken captive portals, from bug 1727237 and bug 1766969.  It was proposed upstream in this PR:
https://github.com/systemd/systemd/pull/8608

but was never accepted upstream, only added to Ubuntu.  As this bug
shows, the patch does appear to actually still cause problems for people
even without DNSSEC on (that problem was fixed in Ubuntu separately with
bug 1796501).

Fixing dnsmasq is good, but at some point we'll need to properly fix
upstream to workaround buggy captive portals in a way that doesn't cause
other problems.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1785383

Title:
  missing EDNS0 record confuses systemd-resolved

Status in systemd:
  Fix Released
Status in dnsmasq package in Ubuntu:
  Triaged
Status in systemd package in Ubuntu:
  Triaged
Status in dnsmasq source package in Bionic:
  Triaged
Status in systemd source package in Bionic:
  New

Bug description:
  [Impact]
  dnsmasq 2.79 and below omits EDNS0 OPT records when returning an empty answer for a domain it is authoritative for. systemd-resolved seems to get confused by this in certain circumstances; when using the stub resolver and requesting an address for which there are no AAAA records, there can sometimes be a five second hang in resolution.

  [Fix]
  This is fixed by upstream commit http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1682d15a744880b0398af75eadf68fe66128af78

  Not sure if it is worth cherry picking? I imagine the most likely
  trigger will be dnsmasq on routers which are not likely to be running
  Ubuntu, but maybe just in case.

  I also think there are some logic issues in systemd-resolved, upstream
  bug filed:

  https://github.com/systemd/systemd/issues/9785

  [Test Case]
  Simple-ish test case:

  ---
  IFACE=dummy0
  SUBNET=10.0.0

  ip link add $IFACE type dummy
  ifconfig $IFACE ${SUBNET}.1/24
  dnsmasq -h -R -d -C /dev/null -2 $IFACE -z -i $IFACE -I lo --host-record=test.test,${SUBNET}.1 &

  dig -t a test.test @10.0.0.1 | grep EDNS
  # should return "; EDNS ..."
  dig -t aaaa test.test @10.0.0.1 | grep EDNS
  # again, should return "; EDNS ..." but doesn't
  ---

  To reproduce the systemd-resolved side of the problem

  ---
  # as above, but
  # now configure systemd-resolved to look at only 10.0.0.1, then

  systemd-resolve --reset-server-features
  # should exhibit five second delay then connect, assuming sshd is running :)
  ssh test.test
  ---

  [Discussion]
  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: dnsmasq-base 2.79-1
  ProcVersionSignature: Ubuntu 4.15.0-23.25-generic 4.15.18
  Uname: Linux 4.15.0-23-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  Date: Sat Aug  4 11:33:56 2018
  InstallationDate: Installed on 2018-05-31 (64 days ago)
  InstallationMedia: Xubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: dnsmasq
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1785383/+subscriptions