[Bug 1646538] Re: pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

wdoekes 1646538 at bugs.launchpad.net
Wed Dec 7 13:05:45 UTC 2016 

The patch is present in rec-4.0.0-beta1, so if Yakkety runs >=4.0.0 (not
alpha), we should be good.


But sure:

$ grep VERSION /etc/os-release  
VERSION="16.10 (Yakkety Yak)"
VERSION_ID="16.10"
VERSION_CODENAME=yakkety

$ dpkg -l pdns-recursor | grep ^ii
ii  pdns-recursor  4.0.1-1build2 amd64        PowerDNS Recursor

$ sudo netstat -apnAinet | grep 53.*pdns
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      18159/pdns_recursor 
udp        0      0 127.0.0.1:53            0.0.0.0:*                           18159/pdns_recursor 

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec +short
213.199.154.23
213.199.154.87


Confirmed. It's fixed in Yakkety.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1646538

Title:
  pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Status in pdns-recursor package in Ubuntu:
  Triaged
Status in pdns-recursor source package in Xenial:
  Triaged

Bug description:
  The pdns-recursor in Xenial returns this:

      $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

  While it should return this:

      ...
      umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.87
      umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.23

  Because the relevant NS returns FORMERR (it doesn't support EDNS):

      $ dig A umcg-nl.mail.protection.outlook.com. \
          @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
      ...
      ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

  This has been fixed in later versions of pdns, specifically here:

  https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

  After applying that patch onto 4.0.0~alpha2-2, pdns-recursor behaves
  as expected and returns the correct A records.


  This bug manifested itself in our case through Postfix not being able
  to send mail to Office 365 domains. When postfix tried to enable
  optional DNSSEC validation -- which it did because of a builtin
  default -- the A record lookups would start to fail, and this failure
  would be cached for non-EDNS lookups as well.

  See original discussion here:
  http://postfix.1071664.n5.nabble.com/EDNS-DANE-trouble-with-Microsoft-mail-protection-outlook-com-td87331.html#a87353
  "EDNS / DANE trouble with Microsoft mail.protection.outlook.com."

  Attached, the patch that appears to fix the problem.

  IMHO, Xenial (being an LTS) needs to get this fixed. Either by
  updating from 4.0.0 to something more recent, or by applying this
  patch.

  Cheers,
  Walter Doekes
  OSSO B.V.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1646538/+subscriptions

More information about the Ubuntu-sponsors mailing list