Ubuntu
bind9 package

Servers not complying with RFC 6891 return FORMERR

Bug #2037238 reported by Andrew Titmuss
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned

Bug Description

This has been fixed upstream in 9.18.17, see here: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7888

This affects using bind9 as a recursive resolver for (according to the ISC ticket) 0.5% of servers. One such example can be seen by querying es.ap-southeast-2.amazonaws.com IN A

Source package: https://packages.ubuntu.com/source/jammy/bind9

$ lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04

$ apt-cache policy bind9
bind9:
  Installed: 1:9.18.12-0ubuntu0.22.04.3
  Candidate: 1:9.18.12-0ubuntu0.22.04.3
  Version table:
 *** 1:9.18.12-0ubuntu0.22.04.3 500
        500 http://au.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.18.1-1ubuntu1 500
        500 http://au.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

What I expect to happen:
I get a NOERROR response with an answer when I query DNS servers categorised by the ISC ticket. The following example uses my ISP's PowerDNS Recursor instance
$ dig es.ap-southeast-2.amazonaws.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> es.ap-southeast-2.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15672
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;es.ap-southeast-2.amazonaws.com. IN A

;; ANSWER SECTION:
es.ap-southeast-2.amazonaws.com. 60 IN A 54.240.206.214

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Sep 24 23:42:27 UTC 2023
;; MSG SIZE rcvd: 76

What happens:
When querying a recursive bind9 instance - SERVFAIL, no ANSWER section
$ dig es.ap-southeast-2.amazonaws.com @10.16.0.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> es.ap-southeast-2.amazonaws.com @10.16.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17052
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9a0b0bb6ca2af0f8010000006510ca2f8025cefb69b21412 (good)
;; QUESTION SECTION:
;es.ap-southeast-2.amazonaws.com. IN A

;; Query time: 16 msec
;; SERVER: 10.16.0.1#53(10.16.0.1) (UDP)
;; WHEN: Sun Sep 24 23:45:51 UTC 2023
;; MSG SIZE rcvd: 88

When querying the authoritative server directly with dig - FORMERR, EDNS COOKIE echoed
$ dig es.ap-southeast-2.amazonaws.com @b.ns.ap-southeast-2.amazonaws.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> es.ap-southeast-2.amazonaws.com @b.ns.ap-southeast-2.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 47262
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 80d952006d3f0a53 (echoed)
;; QUESTION SECTION:
;es.ap-southeast-2.amazonaws.com. IN A

;; Query time: 4 msec
;; SERVER: 52.119.211.106#53(b.ns.ap-southeast-2.amazonaws.com) (UDP)
;; WHEN: Sun Sep 24 23:46:46 UTC 2023
;; MSG SIZE rcvd: 72

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks for reporting this bug.

Could you check if the package in the -proposed pocket fixes the issue? You can enable the proposed pocket by following the guidelines in https://wiki.ubuntu.com/Testing/EnableProposed.

Please, do not do so in your production environment.

Changed in bind9 (Ubuntu):
status: New → Triaged
Revision history for this message
Andrew Titmuss (iandrewt) wrote :

The proposed package works! The first query for the broken domain upon startup returned SERVFAIL to the client, the second (and all future) worked as expected.

BIND9 logged the following upon querying when it returned the expected response:
18-Oct-2023 22:58:11.705 DNS format error from 54.240.206.0#53 resolving es.ap-southeast-2.amazonaws.com/A for 192.168.65.1#56775: server sent FORMERR with echoed DNS COOKIE

Tested with docker image ubuntu:jammy with proposed pocket enabled
18-Oct-2023 22:58:05.843 starting BIND 9.18.18-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
18-Oct-2023 22:58:05.843 running on Linux aarch64 6.4.16-linuxkit #1 SMP PREEMPT Sat Sep 23 13:36:48 UTC 2023

Revision history for this message
Paride Legovini (paride) wrote :

This if Fix Released in Mantic (package version: 1:9.18.18-0ubuntu2). Then we have:

lunar-proposed: 1:9.18.18-0ubuntu0.23.04.1
jammy-proposed: 1:9.18.18-0ubuntu0.22.04.1

Tasks to be marked Fix Released once they migrate.

Changed in bind9 (Ubuntu):
status: Triaged → Fix Released
Changed in bind9 (Ubuntu Jammy):
status: New → Fix Committed
Changed in bind9 (Ubuntu Lunar):
status: New → Fix Committed
Athos Ribeiro (athos-ribeiro)
Changed in bind9 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Changed in bind9 (Ubuntu Lunar):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.