1.7.1 qname-minimisation and Akamai?

Håkan Lindqvist h at qw.se
Mon Jun 11 21:31:42 UTC 2018


Hi,

I ran into and issue where it appears that Unbound 1.7.1 fails to resolve
some Akamai CDN names if qname-minimisation is enabled (consistently
responds with SERVFAIL).
1.7.0 did not exhibit the same behavior with identical configuration.

A couple of example names: cdn.samsung.com, storeedgefd.dsx.mp.microsoft.com
(eg "dig @unbound cdn.samsung.com")

With verbosity turned up, the log includes:
debug: request has exceeded the maximum number of query restarts with 9
debug: return error response SERVFAIL

It appears Unbound intentionally aborts, and the limits don't appear to
have changed since 1.7.0, but maybe the accounting has changed?
(I'm not sure if the "Fix cname classification with qname minimisation
enabled." change could be related?)

I also ran across one other mention of what I believe is the same issue at:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1608638.html


Is this a straight up bug or is there some settings (other than disabling
qname-minimisation) that I just fail to find that can counter this new
behavior?

I find it a bit concerning since there's some very high profile
sites/services using the affected Akamai CDN (with their rather
enthusiastic CNAME usage) and that 1.7.2 apparently enables
qname-minisation by default.


/Håkan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180611/6d35ddb8/attachment.htm>


More information about the Unbound-users mailing list