Ubuntu
pdns-recursor package

pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Bug #1646538 reported by Walter
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pdns-recursor (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Mattia Rizzolo

Bug Description

[Impact]

pdns-recursor in Xenial fails on FORMERR response to EDNS query.

This can manifest itself through postfix not being able to send mail to Office 365 domains. When postfix tries to enable DNSSEC validation, the A record lookups start to fail, and this failure is cached for non-EDNS lookups as well.

pdns-recursor in Xenial returns this:

    $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

Because the relevant NS returns FORMERR (it doesn't support EDNS):

    $ dig A umcg-nl.mail.protection.outlook.com. \
        @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
    ...
    ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

This has been fixed upstream, specifically here:

https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

[Test Case]

Run dig with an NS that doesn't support EDNS:

    $ dig A SERVER @127.0.0.1 +edns +dnssec

For example:

    $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec

The correct A records should be returned similar to this:

    ...
    umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87
    umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23

[Regression Potential]

This is an upstream fix that has been out for a while.

See original description
Revision history for this message
Walter (wdoekes) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "9d534f2a12defc44d2a79291bf34b82e5ee28121.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
MRob (mrobti) wrote :

This bug is preventing email contact with a variety of domains serviced by Microsoft.

This is LTS, it's critical not to use alpha-quality software that cause this level of disruption in production. Also, since the fix is available upstream, I encourage you to prioritize.

Thank you.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Someone who's still involved in Ubuntu development really ought to slap a debian/changelog on this and upload it as an SRU.

Changed in pdns-recursor (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Mattia Rizzolo (mapreri) wrote :

Can anybody confirm this issue is not present in yakkety?

If so, I can do the actual SRU, but somebody else should 1) format this bug according to https://wiki.ubuntu.com/SRU 2) test the resulting package.

Changed in pdns-recursor (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Walter (wdoekes) wrote :

The patch is present in rec-4.0.0-beta1, so if Yakkety runs >=4.0.0 (not alpha), we should be good.

But sure:

$ grep VERSION /etc/os-release
VERSION="16.10 (Yakkety Yak)"
VERSION_ID="16.10"
VERSION_CODENAME=yakkety

$ dpkg -l pdns-recursor | grep ^ii
ii pdns-recursor 4.0.1-1build2 amd64 PowerDNS Recursor

$ sudo netstat -apnAinet | grep 53.*pdns
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 18159/pdns_recursor
udp 0 0 127.0.0.1:53 0.0.0.0:* 18159/pdns_recursor

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec +short
213.199.154.23
213.199.154.87

Confirmed. It's fixed in Yakkety.

Revision history for this message
Mattia Rizzolo (mapreri) wrote :

cool, then what is left is somebody to rewrite the description following the SRU template. I'll prepare the package and upload to a PPA for everybody to test the change.

Changed in pdns-recursor (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Mattia Rizzolo (mapreri) wrote :

Ok, you can find the proposed package in https://launchpad.net/~mapreri/+archive/ubuntu/lp-1646538
The debdiff:
https://launchpadlibrarian.net/297013877/pdns-recursor_4.0.0~alpha2-2_4.0.0~alpha2-2ubuntu0.1.diff.gz

If somebody fixes the bug description, I'll upload it ubuntu; also feel free to beat me in copying the package.

Mathew Hodson (mhodson)
description: updated
Mathew Hodson (mhodson)
Changed in pdns-recursor (Ubuntu Xenial):
status: Triaged → In Progress
assignee: nobody → Mattia Rizzolo (mapreri)
Revision history for this message
Sebastien Bacher (seb128) wrote :

the update is in the SRU review queue so unsubscribing the sponsors from the bug

Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello wdoekes, or anyone else affected,

Accepted pdns-recursor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pdns-recursor/4.0.0~alpha2-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in pdns-recursor (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Walter (wdoekes) wrote :

It works.

====

$ apt-cache policy pdns-recursor
pdns-recursor:
  Installed: 4.0.0~alpha2-2
  Candidate: 4.0.0~alpha2-2ubuntu0.1
  Version table:
     4.0.0~alpha2-2ubuntu0.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 Packages
     4.0.0~alpha2-2osso1 500
        500 http://ppa.osso.nl/ubuntu xenial/osso amd64 Packages
 *** 4.0.0~alpha2-2 500
        500 http://apt.osso.nl/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19210

====

$ sudo apt-get install pdns-recursor

$ apt-cache policy pdns-recursor
pdns-recursor:
  Installed: 4.0.0~alpha2-2ubuntu0.1
  Candidate: 4.0.0~alpha2-2ubuntu0.1
  Version table:
 *** 4.0.0~alpha2-2ubuntu0.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     4.0.0~alpha2-2osso1 500
        500 http://ppa.osso.nl/ubuntu xenial/osso amd64 Packages
     4.0.0~alpha2-2 500
        500 http://apt.osso.nl/ubuntu xenial/universe amd64 Packages

$ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
...
;; ANSWER SECTION:
umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23
umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87

tags: added: verification-done
removed: verification-needed
Mathew Hodson (mhodson)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for pdns-recursor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 4.0.0~alpha2-2ubuntu0.1

---------------
pdns-recursor (4.0.0~alpha2-2ubuntu0.1) xenial; urgency=medium

  * Apply patch from upstream to not fail on FORMERR response to EDNS.
    LP: #1646538

 -- Mattia Rizzolo <email address hidden> Wed, 07 Dec 2016 14:46:14 +0100

Changed in pdns-recursor (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.