Unbound returns SERVFAIL for specific query on dual stacked machine

Bug #1472510 reported by Patrik Lundin
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
unbound (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Vivid
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
* Unbound is not able to look up certain hostnames in the default configuration when running on a dual stacked (IPv4 and IPv6) host.
* The impact of this on users is that it can lead to a nasty surprise when a currently IPv4-only host gets IPv6 connectivity.

[Test Case]
* On a machine that is currently dual stacked, you can verify the problem with unbound-host. Forcing it to IPv4- and IPv6 only should work, while allowing both will fail.
* IPv4-only (works):
===
unbound-host -4 -f /var/lib/unbound/root.key a.root-servers.net
===

* IPv6-only (works):
===
unbound-host -6 -f /var/lib/unbound/root.key a.root-servers.net
===

* Both (fails):
===
unbound-host -f /var/lib/unbound/root.key a.root-servers.net
===

[Regression Potential]
* I am not aware of any regression risks. Looking at the upstream tree I am not able to identify any diffs surrounding r3127 that seem relevant to this bump.

[Other Info]
* See attachement for debdiff against wily.

[Original Description]

Hello,

I noticed a problem on one of my dual stacked (IPv4 and IPv6) Trusty Tahr machines running unbound.

The problem initially was that i failed running dig +trace against it, where it would hang when looking up the root servers.

I could verify the problem using unbound-host:
===
# unbound-host -f /var/lib/unbound/root.key a.root-servers.net
Host a.root-servers.net not found: 2(SERVFAIL).
Host a.root-servers.net not found: 2(SERVFAIL).
Host a.root-servers.net not found: 2(SERVFAIL).
===

The most interesting part was that when forcing either IPv4 or IPv6, it worked:
===
# unbound-host -4 -f /var/lib/unbound/root.key a.root-servers.net
a.root-servers.net has address 198.41.0.4
a.root-servers.net has IPv6 address 2001:503:ba3e::2:30

# unbound-host -6 -f /var/lib/unbound/root.key a.root-servers.net
a.root-servers.net has address 198.41.0.4
a.root-servers.net has IPv6 address 2001:503:ba3e::2:30
===

Looking at the debug-output i noticed several occurences of the following messages:
===
# unbound-host -d -d -f /var/lib/unbound/root.key a.root-servers.net
[...]
[1436342178] libunbound[14283:0] debug: request has exceeded the maximum number of sends with 17
[1436342178] libunbound[14283:0] debug: return error response SERVFAIL
[...]
===

Comparing this against the changelog of unbound (https://www.unbound.net/download.html) I noticed 1.5.0 had increased the MAX_SENT_COUNT definition from 16 to 32.

Attached is a diff which backports this change, which solved my problem.

The most annoying thing about this problem is that I can not recreate it on another host which is both the same Ubuntu version and dual stacked.

Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Cancel that last part about not being able to recreate it on another machine for now. The other machine did not have proper IPv6 routing, making it IPv4 only in reality.

summary: - Unbound returns SERVFAIL for specific query on specific dual stacked
- machine
+ Unbound returns SERVFAIL for specific query on dual stacked machine
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unbound (Ubuntu):
status: New → Confirmed
Revision history for this message
Simon Déziel (sdeziel) wrote :

I can indeed reproduce the failure on a dual-stacked machine. As you said, using -4/-6 doesn't exceed the max sent count.

Robie Basak (racb)
Changed in unbound (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

This is a blocker for putting Ubuntu based DNS resolvers in production, I would much appreciate any progress updates on this.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Please see https://wiki.ubuntu.com/StableReleaseUpdates and https://wiki.ubuntu.com/SponsorshipProcess for the processes involved in checking and getting your patch into 14.04. If you're in a hurry then you'll need to prepare the uploads yourself and put them forward for sponsorship. First you need to prepare an upload for Wily to fix the bug in the development release, then follow the procedure documented on the SRU page. If you need any help following the process, try #ubuntu-devel on Freenode. Thanks!

Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

[Impact]
* Unbound is not able to look up certain hostnames in the default configuration when running on a dual stacked (IPv4 and IPv6) host.
* The impact of this on users is that it can lead to a nasty surprise when a currently IPv4-only host gets IPv6 connectivity.

[Test Case]
* On a machine that is currently dual stacked, you can verify the problem with unbound-host. Forcing it to IPv4- and IPv6 only should work, while allowing both will fail.
* IPv4-only (works):
===
unbound-host -4 -f /var/lib/unbound/root.key a.root-servers.net
===

* IPv6-only (works):
===
unbound-host -6 -f /var/lib/unbound/root.key a.root-servers.net
===

* Both (fails):
===
unbound-host -f /var/lib/unbound/root.key a.root-servers.net
===

[Regression Potential]
* I am not aware of any regression risks. Looking at the upstream tree I am not able to identify any diffs surrounding r3127 that seem relevant to this bump.

[Other Info]
* See attachement for debdiff against wily.

Robie Basak (racb)
Changed in unbound (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "unbound_1.4.22-1ubuntu6.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

See attachement for updated debdiff based on feedback from Robie Basak.

Robie Basak (racb)
description: updated
Revision history for this message
Robie Basak (racb) wrote :

Uploaded to Wily.

Changed in unbound (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Attached is a debdiff for trusty which is based on the wily patch.

Revision history for this message
Patrik Lundin (patrik-lundin) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unbound - 1.4.22-1ubuntu6

---------------
unbound (1.4.22-1ubuntu6) wily; urgency=medium

  * Make some lookups on a dual stacked (IPv4 and IPv6) host work.
    - debian/patches/increase-max_sent_count: Increase MAX_SENT_COUNT to 32,
      backported from Unbound 1.5.0 (LP: #1472510).
    - Can be verified with:
      # unbound-host -f /var/lib/unbound/root.key a.root-servers.net

 -- Patrik Lundin <email address hidden> Thu, 16 Jul 2015 09:04:58 +0200

Changed in unbound (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

Thank you for the patches! Uploaded to Trusty. Now awaiting SRU team review.

Changed in unbound (Ubuntu Trusty):
status: Triaged → In Progress
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Awesome, thanks a lot for helping me improve the debdiffs :).

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Patrik, or anyone else affected,

Accepted unbound into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.4.22-1ubuntu4.14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unbound (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

Is vivid also affected by this? If so it would be good to get it fixed there too.

Revision history for this message
Simon Déziel (sdeziel) wrote :

The Trusty proposed version (1.4.22-1ubuntu4.14.04.2) works well, thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

I can also confirm that upgrading to packages in trusty-proposed solves my problems.

Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Attached is an equivalent debdiff for vivid.

Revision history for this message
Robie Basak (racb) wrote :

Thanks Patrik!

Uploaded to Vivid with one minor change: since package version 1.4.22-1ubuntu6 is already taken (in Wily), we can't use it again in VIvid so I changed the version to 1.4.22-1ubuntu5.1. This also indicates more clearly that the upload is an SRU.

Changed in unbound (Ubuntu Vivid):
status: New → In Progress
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

That sounds reasonable to me. I was not sure how I should handle the name collision.

Revision history for this message
Chris J Arges (arges) wrote :

Hello Patrik, or anyone else affected,

Accepted unbound into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unbound/1.4.22-1ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unbound (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

I can confirm that 1.4.22-1ubuntu5.1 solves the problem on vivid.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Is there a reason the fix has not been released? Is there anything else I can do to make it happen?

Revision history for this message
Robie Basak (racb) wrote :

The Vivid update hasn't yet reached the minimum 7 day aging period. The Trusty one looks good to me though. Just needs to work its way up the pending SRU queue - http://people.canonical.com/~ubuntu-archive/pending-sru.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unbound - 1.4.22-1ubuntu4.14.04.2

---------------
unbound (1.4.22-1ubuntu4.14.04.2) trusty; urgency=medium

  * Make some lookups on a dual stacked (IPv4 and IPv6) host work.
    - debian/patches/increase-max_sent_count: Increase MAX_SENT_COUNT to 32,
      backported from Unbound 1.5.0 (LP: #1472510).
    - Can be verified with:
      # unbound-host -f /var/lib/unbound/root.key a.root-servers.net

 -- Patrik Lundin <email address hidden> Thu, 16 Jul 2015 12:45:58 +0200

Changed in unbound (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for unbound has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unbound - 1.4.22-1ubuntu5.1

---------------
unbound (1.4.22-1ubuntu5.1) vivid; urgency=medium

  * Make some lookups on a dual stacked (IPv4 and IPv6) host work.
    - debian/patches/increase-max_sent_count: Increase MAX_SENT_COUNT to 32,
      backported from Unbound 1.5.0 (LP: #1472510).
    - Can be verified with:
      # unbound-host -f /var/lib/unbound/root.key a.root-servers.net

 -- Patrik Lundin <email address hidden> Mon, 20 Jul 2015 09:42:24 +0200

Changed in unbound (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Patrik Lundin (patrik-lundin) wrote :

Thanks for releasing the packages, I have it on my trusty servers now :).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.