[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: 1.7.1 qname-minimisation and Akamai?
From: Håkan_Lindqvist via Unbound-users <unbound-users () unbound ! net>
Date: 2018-06-12 17:14:04
Message-ID: CAGkuFhGWzUvXJDe=W=Dz2L=zaeSV32d3EBMvPrMn+3_W4pWVaA () mail ! gmail ! com
[Download RAW message or body]
Ok, that sounds great. Thank you!
/H=C3=A5kan
On Tue, Jun 12, 2018 at 4:36 PM, Ralph Dolmans via Unbound-users <
unbound-users@unbound.net> wrote:
> Hi Hakan,
>
> This is indeed related to the CNAME classification change in 1.7.1.
> After that change responses for the minimised queries can be treated as
> CNAME responses. Unbound has a limit in number of CNAMEs to follow to
> prevent loops, that limit is 8. Because the nameserver here gives CNAMEs
> for for some of the minimsed CNAME targets, the number of received
> CNAMEs passes the maximum and Unbound stops resolving.
>
> I committed a fix that only counts CNAME for the full name, not for the
> partial/minimised queries.
>
> -- Ralph
>
> On 11-06-18 23:31, H=C3=A5kan Lindqvist via Unbound-users wrote:
> > Hi,
> >
> > I ran into and issue where it appears that Unbound 1.7.1 fails to
> > resolve some Akamai CDN names if qname-minimisation is enabled
> > (consistently responds with SERVFAIL).
> > 1.7.0 did not exhibit the same behavior with identical configuration.
> >
> > A couple of example names: cdn.samsung.com
> > <http://cdn.samsung.com>, storeedgefd.dsx.mp.microsoft.com
> > <http://storeedgefd.dsx.mp.microsoft.com> (eg "dig
> > @unbound cdn.samsung.com <http://cdn.samsung.com>")
> >
> > With verbosity turned up, the log includes:
> > debug: request has exceeded the maximum number of query restarts with 9
> > debug: return error response SERVFAIL
> >
> > It appears Unbound intentionally aborts, and the limits don't appear to
> > have changed since 1.7.0, but maybe the accounting has changed?
> > (I'm not sure if the "Fix cname classification with qname minimisation
> > enabled." change could be related?)
> >
> > I also ran across one other mention of what I believe is the same issue
> > at: https://www.mail-archive.com/debian-bugs-dist@lists.
> debian.org/msg1608638.html
> >
> >
> > Is this a straight up bug or is there some settings (other than
> > disabling qname-minimisation) that I just fail to find that can counter
> > this new behavior?
> >
> > I find it a bit concerning since there's some very high profile
> > sites/services using the affected Akamai CDN (with their rather
> > enthusiastic CNAME usage) and that 1.7.2 apparently enables
> > qname-minisation by default.
> >
> >
> > /H=C3=A5kan
>
[Attachment #3 (text/html)]
<div dir="ltr">Ok, that sounds great. Thank \
you!<div><br></div><div>/Håkan</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Jun 12, 2018 at 4:36 PM, Ralph Dolmans via Unbound-users \
<span dir="ltr"><<a href="mailto:unbound-users@unbound.net" \
target="_blank">unbound-users@unbound.net</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi Hakan,<br> <br>
This is indeed related to the CNAME classification change in 1.7.1.<br>
After that change responses for the minimised queries can be treated as<br>
CNAME responses. Unbound has a limit in number of CNAMEs to follow to<br>
prevent loops, that limit is 8. Because the nameserver here gives CNAMEs<br>
for for some of the minimsed CNAME targets, the number of received<br>
CNAMEs passes the maximum and Unbound stops resolving.<br>
<br>
I committed a fix that only counts CNAME for the full name, not for the<br>
partial/minimised queries.<br>
<br>
-- Ralph<br>
<span class=""><br>
On 11-06-18 23:31, Håkan Lindqvist via Unbound-users wrote:<br>
> Hi,<br>
> <br>
> I ran into and issue where it appears that Unbound 1.7.1 fails to<br>
> resolve some Akamai CDN names if qname-minimisation is enabled<br>
> (consistently responds with SERVFAIL).<br>
> 1.7.0 did not exhibit the same behavior with identical configuration.<br>
> <br>
</span><span class="">> A couple of example names: <a \
href="http://cdn.samsung.com" rel="noreferrer" \
target="_blank">cdn.samsung.com</a><br> > <<a href="http://cdn.samsung.com" \
rel="noreferrer" target="_blank">http://cdn.samsung.com</a>>, <a \
href="http://storeedgefd.dsx.mp.microsoft.com" rel="noreferrer" \
target="_blank">stor<wbr>eedgefd.dsx.mp.microsoft.com</a><br> > <<a \
href="http://storeedgefd.dsx.mp.microsoft.com" rel="noreferrer" \
target="_blank">http://storeedgefd.dsx.mp.<wbr>microsoft.com</a>> (eg \
"dig<br> </span>> @unbound <a href="http://cdn.samsung.com" rel="noreferrer" \
target="_blank">cdn.samsung.com</a> <<a href="http://cdn.samsung.com" \
rel="noreferrer" target="_blank">http://cdn.samsung.com</a>>")<br> <div \
class="HOEnZb"><div class="h5">> <br> > With verbosity turned up, the log \
includes:<br> > debug: request has exceeded the maximum number of query restarts \
with 9<br> > debug: return error response SERVFAIL<br>
> <br>
> It appears Unbound intentionally aborts, and the limits don't appear to<br>
> have changed since 1.7.0, but maybe the accounting has changed?<br>
> (I'm not sure if the "Fix cname classification with qname \
minimisation<br> > enabled." change could be related?)<br>
> <br>
> I also ran across one other mention of what I believe is the same issue<br>
> at: <a href="https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1608638.html" \
rel="noreferrer" target="_blank">https://www.mail-archive.<wbr>com/debian-bugs-dist@lists.<wbr>debian.org/msg1608638.html</a><br>
> <br>
> <br>
> Is this a straight up bug or is there some settings (other than<br>
> disabling qname-minimisation) that I just fail to find that can counter<br>
> this new behavior?<br>
> <br>
> I find it a bit concerning since there's some very high profile<br>
> sites/services using the affected Akamai CDN (with their rather<br>
> enthusiastic CNAME usage) and that 1.7.2 apparently enables<br>
> qname-minisation by default.<br>
> <br>
> <br>
> /Håkan<br>
</div></div></blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic