On Thu, Dec 20, 2018 at 5:01 PM Jerome Magnin <jmag...@haproxy.com> wrote:
> Hi, > > On Thu, Dec 20, 2018 at 03:42:40PM +0100, Leonhard Wimmer wrote: > > Hello, > > > > We are running HAProxy in our Docker (18.09.0) swarm and we are relying > on > > the Docker embedded DNS server for service discovery. > > > > The backend servers are configured to resolve the IP addresses via a > > "resolvers" config entry pointing to the Docker embedded DNS running on > > "127.0.0.11". > > > > Up to HAProxy 1.8.14 this worked like charm, but it stopped working with > > version 1.8.15. Also the newly released version 1.9.0 is affected by this > > problem. > > > > I've looked through the changes between 1.8.14 and 1.8.15 and I could > narrow > > it down to commit 2e53fe8: > > "BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response()". > > If I revert this commit on haproxy-1.8 it works perfectly, just as > before. > > > > DNS resolution does not seem to be generally broken though. If I use a > regular > > (non-docker-internal) hostname, it can be resolved normally, even using > the > > Docker embedded DNS server. > > > > I'm not yet sure if it is the Docker DNS server returning an invalid > result > > or HAProxy having a problem with the validation. > > > > I'm happy to help with debugging. I can provide packet captures of the > DNS > > resolution and a sample config to reproduce the problem if you are > interested. > > > > this is indeed a regression in haproxy. thanks for reporting it. > attached patch should fix it. > CC'ing Remi as the original author, and Baptiste, as DNS maintainer. > > Jérôme > Hi Lehonard, Jerome, Thanks for reporting and fixing this respectively. @Willy you can apply. Baptiste