1.7.1 qname-minimisation and Akamai?
Håkan Lindqvist
h at qw.se
Tue Jun 12 17:14:04 UTC 2018
Ok, that sounds great. Thank you!
/Håkan
On Tue, Jun 12, 2018 at 4:36 PM, Ralph Dolmans via Unbound-users <
unbound-users at unbound.net> wrote:
> Hi Hakan,
>
> This is indeed related to the CNAME classification change in 1.7.1.
> After that change responses for the minimised queries can be treated as
> CNAME responses. Unbound has a limit in number of CNAMEs to follow to
> prevent loops, that limit is 8. Because the nameserver here gives CNAMEs
> for for some of the minimsed CNAME targets, the number of received
> CNAMEs passes the maximum and Unbound stops resolving.
>
> I committed a fix that only counts CNAME for the full name, not for the
> partial/minimised queries.
>
> -- Ralph
>
> On 11-06-18 23:31, Håkan Lindqvist via Unbound-users wrote:
> > Hi,
> >
> > I ran into and issue where it appears that Unbound 1.7.1 fails to
> > resolve some Akamai CDN names if qname-minimisation is enabled
> > (consistently responds with SERVFAIL).
> > 1.7.0 did not exhibit the same behavior with identical configuration.
> >
> > A couple of example names: cdn.samsung.com
> > <http://cdn.samsung.com>, storeedgefd.dsx.mp.microsoft.com
> > <http://storeedgefd.dsx.mp.microsoft.com> (eg "dig
> > @unbound cdn.samsung.com <http://cdn.samsung.com>")
> >
> > With verbosity turned up, the log includes:
> > debug: request has exceeded the maximum number of query restarts with 9
> > debug: return error response SERVFAIL
> >
> > It appears Unbound intentionally aborts, and the limits don't appear to
> > have changed since 1.7.0, but maybe the accounting has changed?
> > (I'm not sure if the "Fix cname classification with qname minimisation
> > enabled." change could be related?)
> >
> > I also ran across one other mention of what I believe is the same issue
> > at: https://www.mail-archive.com/debian-bugs-dist@lists.
> debian.org/msg1608638.html
> >
> >
> > Is this a straight up bug or is there some settings (other than
> > disabling qname-minimisation) that I just fail to find that can counter
> > this new behavior?
> >
> > I find it a bit concerning since there's some very high profile
> > sites/services using the affected Akamai CDN (with their rather
> > enthusiastic CNAME usage) and that 1.7.2 apparently enables
> > qname-minisation by default.
> >
> >
> > /Håkan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180612/99a94391/attachment.htm>
More information about the Unbound-users
mailing list