libc resolver stops searching domain search list after getting back NSEC record
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Expired
|
High
|
Unassigned |
Bug Description
Suppose that:
1. you have a "search" line in your /etc/resolv.conf file;
2. it has two domains in it; and
3. the first of the two domains does DNSSEC, including returning NSEC records for nonexisting hosts.
In this situation, when you try to look up a host name in the second domain without specifying the domain part of the host name, the libc resolver will stop after it gets back the NSEC record and report that the host name doesn't exist, rather than moving on to the second domain in the search list and searching for the host in that domain.
See also https:/
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: libc6 2.24-9ubuntu2.2
ProcVersionSign
Uname: Linux 4.10.0-33-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.5
Architecture: amd64
CurrentDesktop: Unity:Unity7
Date: Wed Sep 13 16:00:45 2017
Dependencies:
gcc-6-base 6.3.0-12ubuntu2
libc6 2.24-9ubuntu2.2
libgcc1 1:6.3.0-12ubuntu2
InstallationDate: Installed on 2016-08-09 (400 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: glibc
UpgradeStatus: Upgraded to zesty on 2017-04-19 (147 days ago)
Changed in glibc (Ubuntu): | |
importance: | Undecided → Medium |
importance: | Medium → High |
affects: | glibc (Ubuntu) → systemd (Ubuntu) |
Changed in systemd (Ubuntu): | |
status: | Expired → Won't Fix |
status: | Won't Fix → New |
Do you have packet captures which demonstrate the problem? We will need the data exchanged between the host which performs the DNS lookup and the recursive resolvers configured in resolv.conf.
We are pretty sure that the stub resolver is tolerant to unknown DNS record types, so the behavior you report is rather odd.