Ubuntu
systemd package

resolve: do not hit CNAME or DNAME entry in NODATA cache

Bug #1822416 reported by Frans van Berckel
68
This bug affects 14 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

The question: DNS A record lookups fail to resolve due to cached CNAME NODATA lookups ...

https://askubuntu.com/questions/1063462/18-04-server-systemd-resolve-returns-cached-cname-nodata-for-a-lookup

Upstream at Github: Systemd issue 998 - Cached cname NODATA returned for A lookup ...

https://github.com/systemd/systemd/issues/9833

Please patch ...

https://github.com/systemd/systemd/commit/3740146a4cbd99883af79e375ee4836206dcea4e

Frans van Berckel (fberckel)
tags: added: 18.04
tags: added: systemd-resolved
Revision history for this message
Frans van Berckel (fberckel) wrote :

Extra question: is Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP, as pointed related?

https://www.linode.com/community/questions/17384/error-server-returned-error-nxdomain-mitigating-potential-dns-violation-dve-2018

Revision history for this message
Matt Frisch (mattf10) wrote :

I stopped using resolve because of this bug so unfortunately, I can't say whether or not that error appeared in the log at the same time.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Eric Desrochers (slashd) wrote :

Seems like Disco and late already have the requested fix.

$ git describe --contains 3740146a4cbd99883af79e375ee4836206dcea4e
v240

$ rmadison systemd
 systemd | 204-5ubuntu20 | trusty | source
 systemd | 204-5ubuntu20.31 | trusty-security | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 systemd | 204-5ubuntu20.31 | trusty-updates | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 systemd | 229-4ubuntu4 | xenial | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 systemd | 229-4ubuntu21.21 | xenial-security | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 systemd | 229-4ubuntu21.23 | xenial-updates | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 systemd | 237-3ubuntu10 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 237-3ubuntu10.29 | bionic-security | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 237-3ubuntu10.33 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x

# Not affected:
 systemd | 240-6ubuntu5 | disco | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 240-6ubuntu5.7 | disco-security | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 240-6ubuntu5.8 | disco-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 242-7ubuntu3 | eoan | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 242-7ubuntu3.2 | eoan-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 244-3ubuntu1 | focal | source, amd64, arm64, armhf, i386, ppc64el, s390x
 systemd | 244-3ubuntu5 | focal-proposed | source, amd64, arm64, armhf, i386, ppc64el, s390x

Changed in systemd (Ubuntu Focal):
status: Confirmed → Fix Released
Changed in systemd (Ubuntu Eoan):
status: New → Fix Released
Changed in systemd (Ubuntu Disco):
status: New → Fix Released
Eric Desrochers (slashd)
Changed in systemd (Ubuntu Bionic):
status: New → Confirmed
assignee: nobody → Eric Desrochers (slashd)
tags: added: st
tags: added: sts
removed: st
Revision history for this message
Eric Desrochers (slashd) wrote :

Bionic has been applied via LP: #1818527 introduced in version:

systemd (237-3ubuntu10.23) bionic; urgency=medium

  * d/p/resolved-do-not-hit-CNAME-in-NODATA.patch:
    - fix stub resolver cache (LP: #1818527)

Changed in systemd (Ubuntu Bionic):
status: Confirmed → Fix Released
assignee: Eric Desrochers (slashd) → nobody
Revision history for this message
xichen (xichen0425) wrote :

hi, Eric:

Could you please confirm that this bug had been fixed on ubuntu bionic with version 237-3ubuntu10.38?

I am confusing about your comment as I found nothing when go through the update changes https://www.ubuntuupdates.org/package/core/bionic/universe/updates/systemd.

Revision history for this message
Eric Desrochers (slashd) wrote :

You can find it here:
https://www.ubuntuupdates.org/package/core/bionic/universe/updates/systemd?id=1401429&page=2

-----
Version: 237-3ubuntu10.23 2019-06-21 00:06:25 UTC
  systemd (237-3ubuntu10.23) bionic; urgency=medium

  * d/p/resolved-do-not-hit-CNAME-in-NODATA.patch:
    - fix stub resolver cache (LP: #1818527)

 -- Heitor Alves de Siqueira <email address hidden> Tue, 04 Jun 2019 15:54:24 -0300

Source diff to previous version
1818527 Stub resolver cache is corrupted
-----

The fix has been first introduced in "237-3ubuntu10.23" so "237-3ubuntu10.38" definitely should have it still, yes.

Revision history for this message
Peter Goodall (pjgoodall) wrote :

I have the same problem with 237-3ubuntu10.39 amd64

```
systemd-resolved[2198]: message repeated 3 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]

 % lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

% apt list systemd
Listing... Done
systemd/bionic-updates,now 237-3ubuntu10.39 amd64 [installed,automatic]
N: There are 2 additional versions. Please use the '-a' switch to see them.

```

Revision history for this message
Jerry Quinn (jlquinn) wrote :

I have the same problem in 237-3ubuntu10.41 amd64

May 30 12:55:59 cerberus systemd-resolved[1595]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

Revision history for this message
Dan Streetman (ddstreet) wrote :

> Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

the 'NXDOMAIN' messages are not related to this bug, a bit more detail is in this comment
https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1785383/comments/12

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.