NetworkManager connections with an explicit DoT (DNS over TLS) are not supported with Netplan

Bug #2055148 reported by Lukas Märdian
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Netplan
Fix Released
High
Unassigned
netplan.io (Ubuntu)
Fix Released
Undecided
Unassigned
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

From: https://discourse.ubuntu.com/t/blog-netplan-developer-diaries/35932/11

Hi all,

NetworkManager connections with an explicit DoT (DNS over TLS) configuration are not supported with Netplan, but NetworkManager does feed back the DoT DNS info with server address and Server Name Indication (SNI) in the form server_address#SNI, e.g. 1.2.3.4#dns.myhome.com as nameserver addresses to Netplan. As a result, subsequent Netplan config applications fail because DNS servers don’t have the expected dotted decimal (IPv4) or colon’ed hex (IPv6) form.

```
nmcli> describe ipv4.dns

=== [dns] ===
[NM property description]
Array of IP addresses of DNS servers. For DoT (DNS over TLS), the SNI server name can be specified by appending "#example.com" to the IP address of the DNS server. This currently only has effect when using systemd-resolved.
```

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in netplan.io (Ubuntu):
status: New → Confirmed
Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

I can confirm the problem. Here is a reproducer:

# nmcli con add ifname dummy0 type dummy ipv4.dns 1.1.1.1#lxd
Error: Failed to add 'dummy-dummy0' connection: Message recipient disconnected from message bus without replying

This is the crash related to this issue:

Mar 15 09:46:40 noble-vm NetworkManager[7091]: /etc/netplan/90-NM-2116bb84-fa09-461a-a923-e04bc2648898.yaml:8:9: Error in network definition: malformed address '1.1.1.1#lxd', must be X.X.X.X or X:X:X:X:X:X:X:X
Mar 15 09:46:40 noble-vm NetworkManager[7091]: - 1.1.1.1#lxd
Mar 15 09:46:40 noble-vm NetworkManager[7091]: ^
Mar 15 09:46:40 noble-vm NetworkManager[7051]: <error> [1710496000.8273] BUG: the profile cannot be stored in keyfile format without becoming unusable: cannot access file: No such file or directory
Mar 15 09:46:40 noble-vm NetworkManager[7051]: **
Mar 15 09:46:40 noble-vm NetworkManager[7051]: nm:ERROR:src/core/settings/plugins/keyfile/nms-keyfile-writer.c:551:_internal_write_connection: assertion failed: (unreachable)
Mar 15 09:46:40 noble-vm NetworkManager[7051]: Bail out! nm:ERROR:src/core/settings/plugins/keyfile/nms-keyfile-writer.c:551:_internal_write_connection: assertion failed: (unreachable)
Mar 15 09:46:40 noble-vm systemd[1]: NetworkManager.service: Main process exited, code=dumped, status=6/ABRT
Mar 15 09:46:40 noble-vm systemd[1]: NetworkManager.service: Failed with result 'core-dump'.
Mar 15 09:46:41 noble-vm systemd[1]: NetworkManager.service: Scheduled restart job, restart counter is at 1.
Mar 15 09:46:41 noble-vm systemd[1]: Starting NetworkManager.service - Network Manager...

I also noticed another crash already reported here https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2057490

Mar 15 09:45:30 noble-vm systemd[1]: Stopping NetworkManager.service - Network Manager...
Mar 15 09:45:30 noble-vm NetworkManager[6790]: <info> [1710495930.0746] caught SIGTERM, shutting down normally.
Mar 15 09:45:30 noble-vm NetworkManager[6790]: **
Mar 15 09:45:30 noble-vm NetworkManager[6790]: nm:ERROR:src/core/nm-policy.c:2937:dispose: assertion failed: (!c_list_is_empty(&priv->policy_auto_activate_lst_head))
Mar 15 09:45:30 noble-vm NetworkManager[6790]: Bail out! nm:ERROR:src/core/nm-policy.c:2937:dispose: assertion failed: (!c_list_is_empty(&priv->policy_auto_activate_lst_head))
Mar 15 09:45:30 noble-vm NetworkManager[6790]: <info> [1710495930.0751] exiting (success)
Mar 15 09:45:31 noble-vm systemd[1]: NetworkManager.service: Main process exited, code=dumped, status=6/ABRT
Mar 15 09:45:31 noble-vm systemd[1]: NetworkManager.service: Failed with result 'core-dump'.
Mar 15 09:45:31 noble-vm systemd[1]: Starting NetworkManager.service - Network Manager...

tags: added: foundations-todo
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

So, I believe the best solution here would be to add options to DNS addresses, similar to what we do with IP addresses. Something like this

nameservers:
  addresses:
    - 1.2.3.4:
        sni: domain
        port: 1234
        interface: eth123
    - 1.1.1.1

with this we'd fully support both Network Manager and networkd backends.

Right now NM seems to support only the SNI parameter (1.2.3.4#domain) but networkd supports more:

"111.222.333.444:9953%ifname#example.com" for IPv4 and "[1111:2222::3333]:9953%ifname#example.com" for IPv6.

Alternatively, to keep things simpler, we could just accept the string 1.2.3.4#domain (and possibly the full notation used by networkd too).

What do you think, Lukas?

Revision history for this message
Lukas Märdian (slyon) wrote :

We should land a fix keeping the full string in networkmanager.passthrough and additionaly work on a proper upstream solution, as suggested by Danilo in comment #4, introducing new settings as a longer term solution.

Changed in netplan:
status: New → Triaged
importance: Undecided → High
Lukas Märdian (slyon)
tags: added: fr-7190
Revision history for this message
Lukas Märdian (slyon) wrote :
Changed in netplan:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 1.0-2

---------------
netplan.io (1.0-2) unstable; urgency=medium

  [ Lukas Märdian ]
  * Versioned dep on meson >= 1.3.0 for python.limited_api (Closes: #1066889)
  * d/control: downgrade python3-rich to Recommends.

  [ Danilo Egea Gondolfo ]
  * debian/netplan.io.preinst.
    Add a preinst maintainer script for netplan.io to cleanup .pyc cached
    files. Due to these files, the directory /usr/share/netplan/netplan is
    not being removed after the python3-netplan package split. By removing
    these files (and __pycache__ directories), dpkg can remove the old
    directory during upgrade.
  * d/p/0002-parse-nm-add-a-workaround-for-the-DoT-DNS-option.patch.
    Workaround to prevent parse-nm to generate invalid DNS entries in the
    resulting YAML if SNI is used. (LP: #2055148)

 -- Lukas Märdian <email address hidden> Thu, 28 Mar 2024 12:47:41 +0100

Changed in netplan.io (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Lukas Märdian (slyon) wrote :
Changed in netplan:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.