pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Bug #1646538 reported by wdoekes on 2016-12-01
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pdns-recursor (Ubuntu)
High
Unassigned
Xenial
High
Mattia Rizzolo

Bug Description

[Impact]

pdns-recursor in Xenial fails on FORMERR response to EDNS query.

This can manifest itself through postfix not being able to send mail to Office 365 domains. When postfix tries to enable DNSSEC validation, the A record lookups start to fail, and this failure is cached for non-EDNS lookups as well.

pdns-recursor in Xenial returns this:

    $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

Because the relevant NS returns FORMERR (it doesn't support EDNS):

    $ dig A umcg-nl.mail.protection.outlook.com. \
        @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
    ...
    ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

This has been fixed upstream, specifically here:

https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

[Test Case]

Run dig with an NS that doesn't support EDNS:

    $ dig A SERVER @127.0.0.1 +edns +dnssec

For example:

    $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec

The correct A records should be returned similar to this:

    ...
    umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87
    umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23

[Regression Potential]

This is an upstream fix that has been out for a while.

The attachment "9d534f2a12defc44d2a79291bf34b82e5ee28121.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
MRob (mrobti) wrote :

This bug is preventing email contact with a variety of domains serviced by Microsoft.

This is LTS, it's critical not to use alpha-quality software that cause this level of disruption in production. Also, since the fix is available upstream, I encourage you to prioritize.

Thank you.

Scott Kitterman (kitterman) wrote :

Someone who's still involved in Ubuntu development really ought to slap a debian/changelog on this and upload it as an SRU.

Changed in pdns-recursor (Ubuntu):
status: New → Triaged
importance: Undecided → High
Mattia Rizzolo (mapreri) wrote :

Can anybody confirm this issue is not present in yakkety?

If so, I can do the actual SRU, but somebody else should 1) format this bug according to https://wiki.ubuntu.com/SRU 2) test the resulting package.

Changed in pdns-recursor (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
wdoekes (walter+ubuntu) wrote :

The patch is present in rec-4.0.0-beta1, so if Yakkety runs >=4.0.0 (not alpha), we should be good.

But sure:

$ grep VERSION /etc/os-release
VERSION="16.10 (Yakkety Yak)"
VERSION_ID="16.10"
VERSION_CODENAME=yakkety

$ dpkg -l pdns-recursor | grep ^ii
ii pdns-recursor 4.0.1-1build2 amd64 PowerDNS Recursor

$ sudo netstat -apnAinet | grep 53.*pdns
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 18159/pdns_recursor
udp 0 0 127.0.0.1:53 0.0.0.0:* 18159/pdns_recursor

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec +short
213.199.154.23
213.199.154.87

Confirmed. It's fixed in Yakkety.

Mattia Rizzolo (mapreri) wrote :

cool, then what is left is somebody to rewrite the description following the SRU template. I'll prepare the package and upload to a PPA for everybody to test the change.

Changed in pdns-recursor (Ubuntu):
status: Triaged → Fix Released
Mattia Rizzolo (mapreri) wrote :

Ok, you can find the proposed package in https://launchpad.net/~mapreri/+archive/ubuntu/lp-1646538
The debdiff:
https://launchpadlibrarian.net/297013877/pdns-recursor_4.0.0~alpha2-2_4.0.0~alpha2-2ubuntu0.1.diff.gz

If somebody fixes the bug description, I'll upload it ubuntu; also feel free to beat me in copying the package.

description: updated
Changed in pdns-recursor (Ubuntu Xenial):
status: Triaged → In Progress
assignee: nobody → Mattia Rizzolo (mapreri)
Sebastien Bacher (seb128) wrote :

the update is in the SRU review queue so unsubscribing the sponsors from the bug

Hello wdoekes, or anyone else affected,

Accepted pdns-recursor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pdns-recursor/4.0.0~alpha2-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in pdns-recursor (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
wdoekes (walter+ubuntu) wrote :

It works.

====

$ apt-cache policy pdns-recursor
pdns-recursor:
  Installed: 4.0.0~alpha2-2
  Candidate: 4.0.0~alpha2-2ubuntu0.1
  Version table:
     4.0.0~alpha2-2ubuntu0.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 Packages
     4.0.0~alpha2-2osso1 500
        500 http://ppa.osso.nl/ubuntu xenial/osso amd64 Packages
 *** 4.0.0~alpha2-2 500
        500 http://apt.osso.nl/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19210

====

$ sudo apt-get install pdns-recursor

$ apt-cache policy pdns-recursor
pdns-recursor:
  Installed: 4.0.0~alpha2-2ubuntu0.1
  Candidate: 4.0.0~alpha2-2ubuntu0.1
  Version table:
 *** 4.0.0~alpha2-2ubuntu0.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0~alpha2-2osso1 500
        500 http://ppa.osso.nl/ubuntu xenial/osso amd64 Packages
     4.0.0~alpha2-2 500
        500 http://apt.osso.nl/ubuntu xenial/universe amd64 Packages

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
...
;; ANSWER SECTION:
umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23
umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87

tags: added: verification-done
removed: verification-needed
description: updated

The verification of the Stable Release Update for pdns-recursor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 4.0.0~alpha2-2ubuntu0.1

---------------
pdns-recursor (4.0.0~alpha2-2ubuntu0.1) xenial; urgency=medium

  * Apply patch from upstream to not fail on FORMERR response to EDNS.
    LP: #1646538

 -- Mattia Rizzolo <email address hidden> Wed, 07 Dec 2016 14:46:14 +0100

Changed in pdns-recursor (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers