[Bug 1962453] Re: Apply default TTL to records obtained from getaddrinfo()

Sebastien Bacher 1962453 at bugs.launchpad.net
Tue May 24 07:50:16 UTC 2022 

What's the status in 22.04? Wasn't it fixed in
https://bugs.launchpad.net/ubuntu/+source/keyutils/1.6.1-2ubuntu3 ?
Should we reopen for the current serie?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to keyutils in Ubuntu.
https://bugs.launchpad.net/bugs/1962453

Title:
  Apply default TTL to records obtained from getaddrinfo()

Status in keyutils package in Ubuntu:
  Fix Released
Status in keyutils source package in Bionic:
  Fix Released
Status in keyutils source package in Focal:
  Incomplete
Status in keyutils source package in Impish:
  Incomplete

Bug description:
  [Impact]
  ========

  There's a strong dependency for cifs.ko (and nfs.ko) on keyutils for
  DNS resolution. The keyutils package contains the userspace utility to
  update the kernel keyring with the DNS mapping to IP address. Prior to
  1.6.2, this utility may erroneously set unlimited lifetime for this
  keyring in the kernel.

  [Test plan]
  ===========

  1. Create a file share on an SMB server (can be a samba server) with
  two IP addresses. Make sure that FQDN of the server resolves to one of
  these addresses.

  2. mount the created share on the cifs client using the FQDN for the
  server. Make sure that the mount point is accessible.

  3. Using the ss command on the client, to kill the sockets that
  connect to the server: sudo ss -K dport :445

  4. Now update the DNS entry to make sure that the server FQDN now
  resolves to the second IP address of the server. Make sure that
  nslookup on the client now resolves to the new IP address.

  5. Repeat step 3 to kill the sockets that connect to server to force
  re-connection again.

  Without the fix, after step 5, with the "ss -t" command, you'll see
  that the client has reconnected to the old IP address, even when DNS
  lookups return the new IP.

  With the fix (after a reboot of the client machine to make sure that
  kernel keys are refreshed), you'll see that the client reconnects to
  the new IP address.

  The bug is due to unlimited lifetime set by key.dns_resolver (which is
  part of keyutils package). As a result, even if IP address for the DNS
  entries change, the kernel filesystems would continue to use old IP
  address, due to the cached keys. This issue causes clients to
  misbehave when Azure Files service endpoints move to a different
  cluster.

  [Where problems could occur]
  ============================

  Address records obtained from getaddrinfo() don't come with any TTL
  information, even if they're obtained from the DNS, so if someone is
  relying on this particularly, might face some problem/regression but I
  don't think they would face that as it would still be highly
  configurable.

  [Other information]
  ===================

  This request is essentially from one of our cloud partners and they're
  highly affected by this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keyutils/+bug/1962453/+subscriptions

More information about the foundations-bugs mailing list