** Description changed: - The pdns-recursor in Xenial returns this: + [Impact] - $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec - ... - ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895 + pdns-recursor in Xenial fails on FORMERR response to EDNS query. - While it should return this: + This can manifest itself through postfix not being able to send mail to + Office 365 domains. When postfix tries to enable DNSSEC validation, the + A record lookups start to fail, and this failure is cached for non-EDNS + lookups as well. - ... - umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87 - umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23 + pdns-recursor in Xenial returns this: + + $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec + ... + ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895 Because the relevant NS returns FORMERR (it doesn't support EDNS): - $ dig A umcg-nl.mail.protection.outlook.com. \ - @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec - ... - ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004 - ... - ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns' + $ dig A umcg-nl.mail.protection.outlook.com. \ + @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec + ... + ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004 + ... + ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns' - This has been fixed in later versions of pdns, specifically here: + This has been fixed upstream, specifically here: https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121 - After applying that patch onto 4.0.0~alpha2-2, pdns-recursor behaves as - expected and returns the correct A records. + [Test Case] + Run dig with an NS that doesn't support EDNS: $ dig A [name] @127.0.0.1 + +edns +dnssec - This bug manifested itself in our case through Postfix not being able to - send mail to Office 365 domains. When postfix tried to enable optional - DNSSEC validation -- which it did because of a builtin default -- the A - record lookups would start to fail, and this failure would be cached for - non-EDNS lookups as well. + For example: $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 + +edns +dnssec - See original discussion here: - http://postfix.1071664.n5.nabble.com/EDNS-DANE-trouble-with-Microsoft-mail-protection-outlook-com-td87331.html#a87353 - "EDNS / DANE trouble with Microsoft mail.protection.outlook.com." + The correct A records should be returned similar to this: - Attached, the patch that appears to fix the problem. + ... + umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.87 + umcg-nl.mail.protection.outlook.com. 10 IN A 213.199.154.23 - IMHO, Xenial (being an LTS) needs to get this fixed. Either by updating - from 4.0.0 to something more recent, or by applying this patch. + [Regression Potential] - Cheers, - Walter Doekes - OSSO B.V. + This is an upstream fix that has been out for a while.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1646538 Title: pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1646538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs