Public bug reported:
$ lsb_release -rd
Description: Ubuntu 22.04.4 LTS
Release: 22.04
$ apt-cache policy unbound
unbound:
Installed: 1.13.1-1ubuntu5.11
Candidate: 1.13.1-1ubuntu5.11
Version table:
*** 1.13.1-1ubuntu5.11 500
500 https://apt.teslamotors.com/mirror/security.ubuntu.com/ubuntu
jammy-security/universe amd64 Packages
500 https://apt.teslamotors.com/mirror/archive.ubuntu.com/ubuntu
jammy-updates/universe amd64 Packages
100 /var/lib/dpkg/status
1.13.1-1ubuntu5 500
500 https://apt.teslamotors.com/mirror/archive.ubuntu.com/ubuntu
jammy/universe amd64 Packages
Expectation: Unbound max_restart_count hardcoded default limit set to 11
so long cname chaining records will resolve as expected.
What happened: Unbound 1.13.1 provides SERVFAIL for records that have more than
8 CNAME chains.
Details:
Unbound 1.13.1 has hardcoded limit of number of CNAME chains it will follow for
a given query. This is set to 8.
https://github.com/NLnetLabs/unbound/blob/6cd77933a3f113ea2bef7e4943f6dda6a26a39cb/iterator/iterator.h#L64
While long cname chaining is bad practise there are providers like Microsoft
that does provide dns responses with long cname chains unfortunately.
example:
entra.microsoft.com. 3066 IN CNAME portal.azure.com.
portal.azure.com. 3042 IN CNAME portal.azure.com.trafficmanager.net.
portal.azure.com.trafficmanager.net. 24 IN CNAME azureportal.z01.azurefd.net.
azureportal.z01.azurefd.net. 8 IN CNAME azurefd-p-prod.trafficmanager.net.
azurefd-p-prod.trafficmanager.net. 8 IN CNAME
shed.s-part-0049.p-0010.p-msedge.net.
shed.s-part-0049.p-0010.p-msedge.net. 9 IN CNAME
azurefd-p-fb-prod.trafficmanager.net.
azurefd-p-fb-prod.trafficmanager.net. 8 IN CNAME
shed.s-part-0049.p-0010.p-dc-msedge.net.
shed.s-part-0049.p-0010.p-dc-msedge.net. 8 IN CNAME
global-entry-fb-afdthirdparty-unicast.trafficmanager.net.
global-entry-fb-afdthirdparty-unicast.trafficmanager.net. 14 IN CNAME
lon21r9c.msedge.net.
lon21r9c.msedge.net. 3554 IN A 40.90.65.189
unbound 1.13.1 does not resolve this and in the debug logs you will see
something like:
error: SERVFAIL <entra.microsoft.com. A IN>: request has exceeded the
maximum number restarts (eg. indirections) stop at stor9a.msedge.net.
In version 1.13.2 unbound increased this hardcode limit to 11.
https://github.com/NLnetLabs/unbound/commit/8878680898b23671d31857930891f65affe639c8#diff-c0ce1df6dfe0d23ee8da2faf5ce0bbdd97264fb46eb356be176fe3f2b16fabd7R64
In version 1.17.1 unbound allowed this to be a configurable parameter.
https://github.com/NLnetLabs/unbound/commit/df411b3f2833ecf668fb750623c9fccebc58c827
Please check if its possible to backport either the fix in 1.13.2 or 1.17.1
unbound to ubuntu 22.04 unbound 1.13.1 ? ( I think bringing the fix from
1.13.2 maybe easier )
** Affects: unbound (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122609
Title:
Hardcoded MAX_RESTART_COUNT in unbound 1.13.1 blocks dns resolution of
long cname chains
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/2122609/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
