[Bug 1646538] Re: pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

[Mathew Hodson]

** Description changed:

- The pdns-recursor in Xenial returns this:
+ [Impact]
  
-     $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
-     ...
-     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895
+ pdns-recursor in Xenial fails on FORMERR response to EDNS query.
  
- While it should return this:
+ This can manifest itself through postfix not being able to send mail to
+ Office 365 domains. When postfix tries to enable DNSSEC validation, the
+ A record lookups start to fail, and this failure is cached for non-EDNS
+ lookups as well.
  
-     ...
-     umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.87
-     umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.23
+ pdns-recursor in Xenial returns this:
+ 
+     $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
+     ...
+     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895
  
  Because the relevant NS returns FORMERR (it doesn't support EDNS):
  
-     $ dig A umcg-nl.mail.protection.outlook.com. \
-         @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
-     ...
-     ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
-     ...
-     ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'
+     $ dig A umcg-nl.mail.protection.outlook.com. \
+         @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
+     ...
+     ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
+     ...
+     ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'
  
- This has been fixed in later versions of pdns, specifically here:
+ This has been fixed upstream, specifically here:
  
  https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121
  
- After applying that patch onto 4.0.0~alpha2-2, pdns-recursor behaves as
- expected and returns the correct A records.
+ [Test Case]
  
+ Run dig with an NS that doesn't support EDNS: $ dig A [name] @127.0.0.1
+ +edns +dnssec
  
- This bug manifested itself in our case through Postfix not being able to
- send mail to Office 365 domains. When postfix tried to enable optional
- DNSSEC validation -- which it did because of a builtin default -- the A
- record lookups would start to fail, and this failure would be cached for
- non-EDNS lookups as well.
+ For example: $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1
+ +edns +dnssec
  
- See original discussion here:
- http://postfix.1071664.n5.nabble.com/EDNS-DANE-trouble-with-Microsoft-mail-protection-outlook-com-td87331.html#a87353
- "EDNS / DANE trouble with Microsoft mail.protection.outlook.com."
+ The correct A records should be returned similar to this:
  
- Attached, the patch that appears to fix the problem.
+     ...
+     umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87
+     umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23
  
- IMHO, Xenial (being an LTS) needs to get this fixed. Either by updating
- from 4.0.0 to something more recent, or by applying this patch.
+ [Regression Potential]
  
- Cheers,
- Walter Doekes
- OSSO B.V.
+ This is an upstream fix that has been out for a while.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1646538

Title:
  pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Status in pdns-recursor package in Ubuntu:
  Fix Released
Status in pdns-recursor source package in Xenial:
  Triaged

Bug description:
  [Impact]

  pdns-recursor in Xenial fails on FORMERR response to EDNS query.

  This can manifest itself through postfix not being able to send mail
  to Office 365 domains. When postfix tries to enable DNSSEC validation,
  the A record lookups start to fail, and this failure is cached for
  non-EDNS lookups as well.

  pdns-recursor in Xenial returns this:

      $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

  Because the relevant NS returns FORMERR (it doesn't support EDNS):

      $ dig A umcg-nl.mail.protection.outlook.com. \
          @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
      ...
      ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

  This has been fixed upstream, specifically here:

  https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

  [Test Case]

  Run dig with an NS that doesn't support EDNS: $ dig A [name]
  @127.0.0.1 +edns +dnssec

  For example: $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1
  +edns +dnssec

  The correct A records should be returned similar to this:

      ...
      umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87
      umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23

  [Regression Potential]

  This is an upstream fix that has been out for a while.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1646538/+subscriptions