resolving certain name fails with ICMP port unreachable
Summary
bind9 fails to resolve www.aviatormastercard.com (or more specifically www.aviatormastercard.egslb.barclaycardus.com).
BIND version used
This is reproducible with git master as of right now:
BIND 9.17.15 (Development Release) <id:ddacc7e>
running on Linux x86_64 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021
built by make with default
compiled by GCC 9.3.0
compiled with OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
linked to OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
compiled with libuv version: 1.34.2
linked to libuv version: 1.34.2
compiled with libnghttp2 version: 1.40.0
linked to libnghttp2 version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.4.2
threads support is enabled
default paths:
named configuration: /usr/local/etc/named.conf
rndc configuration: /usr/local/etc/rndc.conf
DNSSEC root key: /usr/local/etc/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
named lock file: /usr/local/var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
It's also reproducible with 1:9.16.1-0ubuntu2.8 on Ubuntu 20.04.
However, it works on 1:9.11.3+dfsg-1ubuntu1.15 on Ubuntu 18.04. It also works with that version of bind recompiled on Ubuntu 20.04. It also works on 1:9.11.5-P4-5.1ubuntu2.2 from Ubuntu 19.10 recompiled on Ubuntu 20.04.
Based on testing Ubuntu packages, it seems something changed between 9.11 and 9.16 to break this. I know that's a big range.
I did a git bisect
. It reported:
dd7bb617be1ac4c09821f64a2d6e9bd6a54873d6 is the first bad commit
commit dd7bb617be1ac4c09821f64a2d6e9bd6a54873d6
Author: Witold Kręcicki <wpk@isc.org>
Date: Fri May 11 12:27:56 2018 +0200
- qname minimization:
- make qname-minimization option tristate {strict,relaxed,disabled}
- go straight for the record if we hit NXDOMAIN in relaxed mode
- go straight for the record after 3 labels without new delegation or 7 labels total
- use start of fetch (and not time of response) as 'now' time for querying cache for
zonecut when following delegation.
bin/named/config.c | 3 +-
bin/named/server.c | 18 ++-
bin/tests/system/qname-minimization/ans2/ans.py | 25 ++-
bin/tests/system/qname-minimization/ans3/ans.py | 175 ++++++++++++++++++++
bin/tests/system/qname-minimization/ans4/ans.py | 175 ++++++++++++++++++++
bin/tests/system/qname-minimization/clean.sh | 2 +-
.../system/qname-minimization/ns3/named.conf.in | 41 -----
.../system/qname-minimization/ns4/named.conf.in | 41 -----
.../system/qname-minimization/ns5/named.conf.in | 3 +-
.../system/qname-minimization/ns6/named.conf.in | 40 +++++
.../system/qname-minimization/ns7/named.conf.in | 40 +++++
bin/tests/system/qname-minimization/setup.sh | 4 +-
bin/tests/system/qname-minimization/tests.sh | 177 +++++++++++++++++----
lib/dns/adb.c | 8 +
lib/dns/include/dns/resolver.h | 4 +
lib/dns/resolver.c | 45 ++++--
lib/isccfg/namedconf.c | 13 +-
util/copyrights | 6 +-
18 files changed, 678 insertions(+), 142 deletions(-)
create mode 100755 bin/tests/system/qname-minimization/ans3/ans.py
create mode 100755 bin/tests/system/qname-minimization/ans4/ans.py
delete mode 100644 bin/tests/system/qname-minimization/ns3/named.conf.in
delete mode 100644 bin/tests/system/qname-minimization/ns4/named.conf.in
create mode 100644 bin/tests/system/qname-minimization/ns6/named.conf.in
create mode 100644 bin/tests/system/qname-minimization/ns7/named.conf.in
The bisect log was:
$ git bisect log
git bisect start
# bad: [d497c325e70400f082bf59f61430e3f20a708d0d] Update changes after QA review
git bisect bad d497c325e70400f082bf59f61430e3f20a708d0d
# good: [998753c7583eb7cea2a462630100cc183e0f30ee] Merge branch 'prep-release' into v9_11_5_patch
git bisect good 998753c7583eb7cea2a462630100cc183e0f30ee
# bad: [6491691ac4bec0dc59e3eeba2797d65527f3bcd6] Merge branch 'prep-release' into security-v9_14
git bisect bad 6491691ac4bec0dc59e3eeba2797d65527f3bcd6
# good: [28e45cd00e2e1e621a2e97ba1ee6bdc6a4102e16] Merge branch 'prep-release' into v9_12_4_patch
git bisect good 28e45cd00e2e1e621a2e97ba1ee6bdc6a4102e16
# good: [a6e307c5f1b3aeeb6b9702f5ca1e4655e4ba4691] update copyright notice / whitespace
git bisect good a6e307c5f1b3aeeb6b9702f5ca1e4655e4ba4691
# bad: [8e164f784df9833c588f734c23d786a5f4fd29f0] Merge branch 'gitlab-ci-make-install-job' into 'master'
git bisect bad 8e164f784df9833c588f734c23d786a5f4fd29f0
# good: [3fbf9d3ea18d8f4e6f01252c6aa914ad953c1430] Merge branch 'add-print.h' into 'master'
git bisect good 3fbf9d3ea18d8f4e6f01252c6aa914ad953c1430
# bad: [4354f44d9c7608cea9e585500ba04cdb263e20d3] Do not call exit() upon verify_nodes() errors
git bisect bad 4354f44d9c7608cea9e585500ba04cdb263e20d3
# good: [9b6b11f02a0faadbd8ab60986cb9cfc7cbcb6115] Merge branch '278-prevent-false-negatives-in-rootkeysentinel-system-test' into 'master'
git bisect good 9b6b11f02a0faadbd8ab60986cb9cfc7cbcb6115
# good: [b8b731bd20cd949f7e74c4a5e4cf71ca7b7de44f] Merge branch '302-use-ip-for-ifconfig' into 'master'
git bisect good b8b731bd20cd949f7e74c4a5e4cf71ca7b7de44f
# bad: [68f056b2a07098896d3f6898ba9927fea3158fef] Add helper variables in mkeys system test
git bisect bad 68f056b2a07098896d3f6898ba9927fea3158fef
# good: [bb2dfb3f49ab707d751c0d83eb26938ed29a1b70] Add dns_zone_logv()
git bisect good bb2dfb3f49ab707d751c0d83eb26938ed29a1b70
# bad: [31b0dc1f204d8f7520145f21e8ea46d1466412a7] Require python with dnspython module
git bisect bad 31b0dc1f204d8f7520145f21e8ea46d1466412a7
# bad: [dd7bb617be1ac4c09821f64a2d6e9bd6a54873d6] - qname minimization: - make qname-minimization option tristate {strict,relaxed,disabled} - go straight for the record if we hit NXDOMAIN in relaxed mode - go straight for the record after 3 labels without new delegation or 7 labels total
git bisect bad dd7bb617be1ac4c09821f64a2d6e9bd6a54873d6
# good: [c8de677eaeec447b5c8eb562fa025bf57d8fa982] Add CHANGES entry
git bisect good c8de677eaeec447b5c8eb562fa025bf57d8fa982
# good: [0698158eb004369e0afeeebda42e704a6ebed44b] QNAME minimization
git bisect good 0698158eb004369e0afeeebda42e704a6ebed44b
# first bad commit: [dd7bb617be1ac4c09821f64a2d6e9bd6a54873d6] - qname minimization: - make qname-minimization option tristate {strict,relaxed,disabled} - go straight for the record if we hit NXDOMAIN in relaxed mode - go straight for the record after 3 labels without new delegation or 7 labels total
Steps to reproduce
- Install and start bind
dig www.aviatormastercard.egslb.barclaycardus.com @localhost
What is the current bug behavior?
named makes a request as expected. The DNS server for egslb.barclaycardus.com (either 167.203.35.32 or 167.203.51.32) responds. This response is rejected by us with ICMP port unreachable!
I disabled all firewall rules, so this is not coming from a REJECT iptables rule.
What is the expected correct behavior?
It resolves. E.g.:
;; ANSWER SECTION:
www.aviatormastercard.egslb.barclaycardus.com. 30 IN A 167.203.49.71
Relevant configuration files
This is reproducible with a stock Ubuntu configuration, which named-checkconf -px
says is:
options {
directory "/var/cache/bind";
listen-on-v6 {
"any";
};
dnssec-validation auto;
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};