[Bug 1940715] Re: systemd-resolved restricts edns0 advertised max size to 512
Bug Watch Updater
1940715 at bugs.launchpad.net
Wed Dec 8 08:44:17 UTC 2021
** Changed in: systemd
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1940715
Title:
systemd-resolved restricts edns0 advertised max size to 512
Status in systemd:
Fix Released
Status in systemd package in Ubuntu:
New
Status in systemd source package in Bionic:
In Progress
Status in systemd source package in Focal:
In Progress
Status in systemd source package in Hirsute:
In Progress
Status in systemd source package in Impish:
New
Bug description:
[impact]
when talking to upstream nameservers, systemd-resolved limits its
advertised max packet size as 512 in its edns0 opt. However, one of
the primary benefits of edns0 is to allow using packet sizes larger
than 512, which is the pre-edns0 max packet size.
this results in systemd-resolved failing to handle responses larger
than 512 with udp/edns0, and having to fall back to tcp. This is not
optimal (since tcp dns imposes significantly higher overhead) and may
even cause failures, if a firewall allows udp dns but blocks tcp dns
traffic.
[test case]
enable debug logging in systemd-resolved, with 'sudo systemctl edit
systemd-resolved' and then add:
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
then save that file and restart systemd-resolved (or reboot).
Make sure to flush the cache and reset server features before
reproducing:
$ sudo resolvectl flush-caches
$ sudo resolvectl reset-server-features
Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see
if it used TCP fallback or not:
...
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP.
...
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1.
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1
A correct lookup using larger EDNS0 response size looks like:
...
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query...
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS).
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1
...
[regression potential]
failure to correctly look up dns records, or other problems while
performing dns lookups with systemd-resolved
[scope]
this is needed for all releases
this still needs fixing upstream:
https://github.com/systemd/systemd/pull/20528
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1940715/+subscriptions
More information about the foundations-bugs
mailing list