systemd-resolved reply depends on previous queries / does not reply directly to an A query if DNAME is involved

Question

systemd-resolved reply depends on previous queries / does not reply directly to an A query if DNAME is involved

olifre opened this issue 5 years ago · 2 comments

olifre commented 5 years ago

systemd version the issue has been seen with

239

Used distribution

CentOS 8

Expected behaviour you didn't see

dig hrz.uni-bonn.de @127.0.0.53 A should always respond with an A record of hrz.uni-bonn.de

Unexpected behaviour you saw

systemd-resolved may respond with an A record of rhrz.uni-bonn.de and a DNAME entry instead.
Also, systemd-resolved reply depends on previous queries.

Steps to reproduce the problem
Case A

# resolvectl flush-caches
# dig rhrz.uni-bonn.de @127.0.0.53 A
;; ANSWER SECTION:
rhrz.uni-bonn.de.       86400   IN      A       131.220.14.100
# dig hrz.uni-bonn.de @127.0.0.53 DNAME
;; ANSWER SECTION:
hrz.uni-bonn.de.        86400   IN      DNAME   rhrz.uni-bonn.de.
# dig hrz.uni-bonn.de @127.0.0.53 A
;; ANSWER SECTION:
hrz.uni-bonn.de.        7167    IN      DNAME   rhrz.uni-bonn.de.
rhrz.uni-bonn.de.       7163    IN      A       131.220.14.100

Note that the final reply here does not answer the query for an A record of hrz.uni-bonn.de directly, but requires further evaluation on the client end.
This reply is completely ignored by some clients, notably, mDNSresponder on macOS, since it does not answer the actual question (only indirectly).

Case B

# dig hrz.uni-bonn.de @127.0.0.53 A
;; ANSWER SECTION:
hrz.uni-bonn.de.        86400   IN      A       131.220.14.100

Note that the result is now an actual reply to the query. So the reply by systemd-resolved depends on earlier queries filling the cache accordingly.

Other DNS cachers (such as dnsmasq) always reply as shown in B when asked for an A record, and that's also the way "real" DNS servers usually respond.

This can likely be reproduced with any domain with a "DNAME" entry.

Depending on what the specs say, this might be ok (and the client has to evaluate, i.e. mDNSresponder is broken). I'm not sure who is at fault here, but the fact that the answer of systemd-resolved depends on previous queries seems fishy.

Answer 1 · 2020-04-13T17:49:36.000Z

I've now also opened a RedHat Bugzilla report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1823446
since I'm not sure if the issue tracker of this repository is monitored.

Answer 2 · 2020-07-22T14:17:58.000Z

I've now also opened a RedHat Bugzilla report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1823446
since I'm not sure if the issue tracker of this repository is monitored.

It's not, but it doesn't really matter. A bug in RH bugzilla is necessary to get anything fixed in RHEL.