[Bug 2024009] Re: [PATCH] systemd-resolved can't follow more than 8 CNAMEs

Brian Murray 2024009 at bugs.launchpad.net
Fri Jan 5 19:37:40 UTC 2024 

Hello Vincent, or anyone else affected,

Accepted systemd into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.23 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: systemd (Ubuntu Focal)
       Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2024009

Title:
  [PATCH] systemd-resolved can't follow more than 8 CNAMEs

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Focal:
  Fix Committed

Bug description:
  [Impact]

  Using systemd-resolved to resolve a hostname which has more than 8
  CNAME redirects will fail because of the hard-coded limit. While this
  case is somewhat rare, the original reporter demonstrated a real-world
  scenario where this happened (although that particular hostname seems
  to be fixed now).

  [Test Plan]

  This test plan uses a LXC container to test systemd-resolved on Focal.
  If LXD has not been configured on your system, start with:

  $ lxd init --auto

  Then, create a Focal container with:

  $ lxc launch ubuntu-daily:focal focal

  Install dnsmasq-base if needed:

  $ apt install dnsmasq-base

  Stop other DNS servers:

  $ systemctl stop systemd-resolved
  $ kill -9 $(pgrep dnsmasq)

  Now, on the host start a new DNS server that listens on lxdbr0, and
  sets up an A record, and many CNAME records which ultimately redirect
  to the A record:

  $ dnsmasq \
  --cname=test10.lan,test9.lan \
  --cname=test9.lan,test8.lan \
  --cname=test8.lan,test7.lan \
  --cname=test7.lan,test6.lan \
  --cname=test6.lan,test5.lan \
  --cname=test5.lan,test4.lan \
  --cname=test4.lan,test3.lan \
  --cname=test3.lan,test2.lan \
  --cname=test2.lan,test1.lan \
  --cname=test1.lan,test0.lan \
  -k -i lxdbr0 -z -I lo --host-record=test0.lan,$IP

  where $IP is any host on your network.

  Now, obtain a shell in the Focal container:

  $ lxc exec focal bash

  Attempt to resolve test10.lan:

  $ resolvectl query test10.lan
  test10.lan: resolve call failed: CNAME loop detected, or CNAME resolving disabled on 'test2.lan'

  On an affected system, the above error will be seen. On a patched
  system, the hostname should be resolved.

  [Where problems could occur]

  The patch simply increases the maximum CNAME redirects that are
  allowed from 8 to 16, so a reasonable limit is still imposed. If an
  application specifically relied on systemd-resolved's limit being at
  8, then that application would potentially see new behavior.

  [Original Description]

  On Ubuntu 20.04 (systemd v245.4-4ubuntu3.21), hostname resolution only
  follows 8 CNAME redirections maximum.

  So when using a service like Azure Virtual Desktop that has between 9
  and 12 redirections, name resolution fails.

  $ host client.wvd.microsoft.com
  Host client.wvd.microsoft.com not found: 2(SERVFAIL)
  $ resolvectl query client.wvd.microsoft.com
  client.wvd.microsoft.com: resolve call failed: CNAME loop detected, or CNAME resolving disabled on 'waws-prod-zrh-ff7172dd.sip.p.azurewebsites.windows.net'

  On the other hand it's working fine on Ubuntu 20.04 because CNAME loop
  limit has been raised from 8 to 16.

  $ host client.wvd.microsoft.com
  client.wvd.microsoft.com is an alias for client.privatelink-global.wvd.microsoft.com.
  client.privatelink-global.wvd.microsoft.com is an alias for client.privatelink.wvd.microsoft.com.
  client.privatelink.wvd.microsoft.com is an alias for rdweb.wvd.microsoft.com.
  rdweb.wvd.microsoft.com is an alias for rdweb.privatelink-global.wvd.microsoft.com.
  rdweb.privatelink-global.wvd.microsoft.com is an alias for rdweb.privatelink.wvd.microsoft.com.
  rdweb.privatelink.wvd.microsoft.com is an alias for rdweb-prod-geo.trafficmanager.net.
  rdweb-prod-geo.trafficmanager.net is an alias for mrs-chnor1c101-rdweb-prod.wvd-ase-chnor1c101-prod.p.azurewebsites.net.
  mrs-chnor1c101-rdweb-prod.wvd-ase-chnor1c101-prod.p.azurewebsites.net is an alias for waws-prod-zrh-63daa049.sip.p.azurewebsites.windows.net.
  waws-prod-zrh-63daa049.sip.p.azurewebsites.windows.net is an alias for waws-prod-zrh-63daa049.cloudapp.net.
  waws-prod-zrh-63daa049.cloudapp.net has address 51.107.69.35

  Here's a quick fix that raises the max CNAME limit from 8 to 16 like
  it is in Ubuntu 22.04, it fixes the problem for me.

  Best regards,
  Vincent.

  --- systemd-245.4.ORIG/src/resolve/resolved-dns-query.c	2023-06-15 16:58:25.454156663 +0200
  +++ systemd-245.4/src/resolve/resolved-dns-query.c	2023-06-01 14:30:09.000000000 +0200
  @@ -10,7 +10,7 @@
   #include "resolved-etc-hosts.h"
   #include "string-util.h"

  -#define CNAME_MAX 8
  +#define CNAME_MAX 16
   #define QUERIES_MAX 2048
   #define AUXILIARY_QUERIES_MAX 64

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: systemd 249.11-0ubuntu3.9 [modified: usr/lib/sysctl.d/50-default.conf]
  ProcVersionSignature: Ubuntu 5.19.0-42.43~22.04.1-generic 5.19.17
  Uname: Linux 5.19.0-42-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Jun 15 16:53:19 2023
  InstallationDate: Installed on 2022-11-22 (205 days ago)
  InstallationMedia: Error: [Errno 13] Permission denied: '/var/log/installer/media-info'
  MachineType: Dell Inc. Latitude 5591
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-42-generic root=/dev/mapper/AmadeUbuntu22-root ro apparmor=1 security=apparmor audit=1 acpi_rev_override load_nvme=YES nouveau.modeset=0 dis_ucode_ldr quiet splash
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: systemd
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 11/21/2022
  dmi.bios.release: 1.25
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: 1.25.0
  dmi.board.name: 0DVVG1
  dmi.board.vendor: Dell Inc.
  dmi.board.version: A00
  dmi.chassis.type: 10
  dmi.chassis.vendor: Dell Inc.
  dmi.modalias: dmi:bvnDellInc.:bvr1.25.0:bd11/21/2022:br1.25:svnDellInc.:pnLatitude5591:pvr:rvnDellInc.:rn0DVVG1:rvrA00:cvnDellInc.:ct10:cvr:sku0819:
  dmi.product.family: Latitude
  dmi.product.name: Latitude 5591
  dmi.product.sku: 0819
  dmi.sys.vendor: Dell Inc.
  modified.conffile..etc.cron.daily.apport: [deleted]
  mtime.conffile..etc.systemd.journald.conf: 2022-11-22T13:40:37.558934

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2024009/+subscriptions

More information about the foundations-bugs mailing list