[Pdns-users] Recursor 4.3.1 problems with long CNAME chains

Otto Moerbeek otto at drijf.net
Fri Jun 5 11:01:09 UTC 2020


On Fri, Jun 05, 2020 at 12:44:03PM +0200, Steinar Haug via Pdns-users wrote:

> We recently upgraded from Recursor 4.2.1 to 4.3.1, due to the recent
> security alert. Unfortunately, after this upgrade some queries have
> stopped working.
> 
> The examples below are from a test installation where the only config
> are the following two lines:
> 
> query-local-address=193.75.4.60
> trace=on
> 
> Example of query which works with 4.2.1:
> 
> % dig microsoft-my.sharepoint-df.com @127.0.0.1
> 
> ; <<>> DiG 9.16.3 <<>> microsoft-my.sharepoint-df.com @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19220
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;microsoft-my.sharepoint-df.com.        IN      A
> 
> ;; ANSWER SECTION:
> microsoft-my.sharepoint-df.com. 3600 IN CNAME   www.sharepoint-df.com.
> www.sharepoint-df.com.  3600    IN      CNAME   microsoftcan.sharepoint.com.
> microsoftcan.sharepoint.com. 3600 IN    CNAME   2-ipv4mte.clump.msit.aa-rt.sharepoint.com.
> 2-ipv4mte.clump.msit.aa-rt.sharepoint.com. 30 IN CNAME 82022-ipv4mte.farm.msit.aa-rt.sharepoint.com.
> 82022-ipv4mte.farm.msit.aa-rt.sharepoint.com. 30 IN CNAME 82022-ipv4mte.farm.msit.sharepointonline.com.akadns.net.
> 82022-ipv4mte.farm.msit.sharepointonline.com.akadns.net. 300 IN CNAME 82022-ipv4.farm.msit.aa-rt.sharepoint.com.spov-0006.spov-msedge.net.
> 82022-ipv4.farm.msit.aa-rt.sharepoint.com.spov-0006.spov-msedge.net. 240 IN CNAME spov-0006.spov-msedge.net.
> spov-0006.spov-msedge.net. 240  IN      A       13.107.137.11
> 
> ;; Query time: 2276 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jun 05 12:22:29 CEST 2020
> ;; MSG SIZE  rcvd: 366
> 
> But with 4.3.1 the query returns SERVFAIL and the last resolution to A
> is missing:
> 
> % dig microsoft-my.sharepoint-df.com @127.0.0.1
> 
> ; <<>> DiG 9.16.3 <<>> microsoft-my.sharepoint-df.com @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45924
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;microsoft-my.sharepoint-df.com.        IN      A
> 
> ;; ANSWER SECTION:
> microsoft-my.sharepoint-df.com. 3600 IN CNAME   www.sharepoint-df.com.
> www.sharepoint-df.com.  3600    IN      CNAME   microsoftcan.sharepoint.com.
> microsoftcan.sharepoint.com. 3600 IN    CNAME   2-ipv4mte.clump.msit.aa-rt.sharepoint.com.
> 2-ipv4mte.clump.msit.aa-rt.sharepoint.com. 30 IN CNAME 82022-ipv4mte.farm.msit.aa-rt.sharepoint.com.
> 82022-ipv4mte.farm.msit.aa-rt.sharepoint.com. 30 IN CNAME 82022-ipv4mte.farm.msit.sharepointonline.com.akadns.net.
> 82022-ipv4mte.farm.msit.sharepointonline.com.akadns.net. 300 IN CNAME 82022-ipv4.farm.msit.aa-rt.sharepoint.com.spov-0006.spov-msedge.net.
> 82022-ipv4.farm.msit.aa-rt.sharepoint.com.spov-0006.spov-msedge.net. 240 IN CNAME spov-0006.spov-msedge.net.
> 
> ;; Query time: 3276 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jun 05 12:24:20 CEST 2020
> ;; MSG SIZE  rcvd: 350
> 
> In the trace log for 4.3.1 we see the following which ends with the
> message about SERVFAIL:
> 
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-04.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-04.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-03.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-03.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-01.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-01.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-02.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  ns3-02.azure-dns.org: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  a0.org.afilias-nst.info: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  afilias-nst.info: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                  a0.org.afilias-nst.info: recursing (CNAME or other indirection) too deep, depth=17
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                 a2.org.afilias-nst.info: recursing (CNAME or other indirection) too deep, depth=16
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                 d0.org.afilias-nst.org: recursing (CNAME or other indirection) too deep, depth=16
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                 b2.org.afilias-nst.org: recursing (CNAME or other indirection) too deep, depth=16
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                 c0.org.afilias-nst.info: recursing (CNAME or other indirection) too deep, depth=16
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]                 b0.org.afilias-nst.org: recursing (CNAME or other indirection) too deep, depth=16
> Jun  5 12:24:20 lab4 pdns_recursor[13424]: [1]            82022-ipv4.farm.msit.aa-rt.sharepoint.com.spov-0006.spov-msedge.net: status=got a CNAME referral, but recursing too deep, returning SERVFAIL
> 
> I have tried:
> 
> max-ns-address-qperq=50 (default 10)
> max-qperq=120 (default 60)
> max-recursion-depth=0 (default 40)
> 
> but the end result is still the same - SERVFAIL and the last A record
> missing.
> 
> Any suggestions? Bug report to Github?
> 
> This is unfortunately serious enough for our users that I may have
> downgrade to 4.2.1.
> 
> Steinar Haug, AS2116
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

This is a known issue: https://github.com/PowerDNS/pdns/pull/9192

As a temporary workaround, you try disabling qname-minimization:

qname-minimization=off

	-Otto


More information about the Pdns-users mailing list