** Description changed:
+ [SRU Justification]
+ Ubuntu 16.10 server uses systemd-resolved by default, configured both as a
DNS stub resolver on 127.0.0.53 and as an NSS module via libnss-resolved
talking to the dbus service. The DNS stub resolver has a bug that causes it to
fail to resolve CNAME records. This went unnoticed before release because by
default the NSS module is used. But a chroot or container on the system that
does not include libnss-resolved and is configured to use the stub resolver
will experience DNS failures.
+
+ [Test case]
+ 1. On a yakkety server system, create a xenial chroot with mk-sbuild (or
equivalent).
+ 2. Make sure that the host system has /etc/resolv.conf pointed at 127.0.0.53.
+ 2. Enter the chroot with 'sudo schroot -c xenial-amd64' or such.
+ 3. Install the iputils-ping package.
+ 4. ping www.freedesktop.org
+ 5. Confirm that the hostname does not resolve.
+ 6. Install the systemd package from yakkety-proposed onto the host system.
+ 7. ping www.freedesktop.org
+ 8. Confirm that the hostname does now resolve.
+
+ [Regression potential]
+ With a 247-line patch to a key service, there is some risk of regression.
Regression risk is mitigated because this patch is already present in zesty and
upstream, where no regressions have been reported, and because it only touches
the DNS stub resolver which is not the code path used by default on host
systems.
+
+
$ systemd-resolve www.freedesktop.org
www.freedesktop.org: 131.252.210.176
2610:10:20:722:a800:ff:feda:470f
(annarchy.freedesktop.org)
-- Information acquired via protocol DNS in 673.6ms.
-- Data is authenticated: no
$ ping www.freedesktop.org
ping: www.freedesktop.org: Name or service not known
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
$ dig +no{cmd,comments,stats} www.freedesktop.org @127.0.0.53
;www.freedesktop.org. IN A
www.freedesktop.org. 7146 IN CNAME annarchy.freedesktop.org.
$ dig +no{cmd,comments,stats} www.freedesktop.org @8.8.8.8
;www.freedesktop.org. IN A
www.freedesktop.org. 14399 IN CNAME annarchy.freedesktop.org.
annarchy.freedesktop.org. 14399 IN A 131.252.210.176
I trust it needn’t be explained why this makes the internet almost
completely useless in zesty.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1647031
Title:
systemd-resolved’s 127.0.0.53 server does not follow CNAME records
Status in Nextcloud:
Unknown
Status in systemd:
New
Status in network-manager package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Fix Released
Status in network-manager source package in Yakkety:
Invalid
Status in systemd source package in Yakkety:
Triaged
Bug description:
[SRU Justification]
Ubuntu 16.10 server uses systemd-resolved by default, configured both as a
DNS stub resolver on 127.0.0.53 and as an NSS module via libnss-resolved
talking to the dbus service. The DNS stub resolver has a bug that causes it to
fail to resolve CNAME records. This went unnoticed before release because by
default the NSS module is used. But a chroot or container on the system that
does not include libnss-resolved and is configured to use the stub resolver
will experience DNS failures.
[Test case]
1. On a yakkety server system, create a xenial chroot with mk-sbuild (or
equivalent).
2. Make sure that the host system has /etc/resolv.conf pointed at 127.0.0.53.
2. Enter the chroot with 'sudo schroot -c xenial-amd64' or such.
3. Install the iputils-ping package.
4. ping www.freedesktop.org
5. Confirm that the hostname does not resolve.
6. Install the systemd package from yakkety-proposed onto the host system.
7. ping www.freedesktop.org
8. Confirm that the hostname does now resolve.
[Regression potential]
With a 247-line patch to a key service, there is some risk of regression.
Regression risk is mitigated because this patch is already present in zesty and
upstream, where no regressions have been reported, and because it only touches
the DNS stub resolver which is not the code path used by default on host
systems.
$ systemd-resolve www.freedesktop.org
www.freedesktop.org: 131.252.210.176
2610:10:20:722:a800:ff:feda:470f
(annarchy.freedesktop.org)
-- Information acquired via protocol DNS in 673.6ms.
-- Data is authenticated: no
$ ping www.freedesktop.org
ping: www.freedesktop.org: Name or service not known
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
$ dig +no{cmd,comments,stats} www.freedesktop.org @127.0.0.53
;www.freedesktop.org. IN A
www.freedesktop.org. 7146 IN CNAME annarchy.freedesktop.org.
$ dig +no{cmd,comments,stats} www.freedesktop.org @8.8.8.8
;www.freedesktop.org. IN A
www.freedesktop.org. 14399 IN CNAME annarchy.freedesktop.org.
annarchy.freedesktop.org. 14399 IN A 131.252.210.176
I trust it needn’t be explained why this makes the internet almost
completely useless in zesty.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nextcloud-snap/+bug/1647031/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
