group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1646538] Re: pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Mattia Rizzolo <mattia@xxxxxxxxxxx>
Date: Wed, 07 Dec 2016 12:41:56 -0000
Reply-to: Bug 1646538 <1646538@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Can anybody confirm this issue is not present in yakkety?

If so, I can do the actual SRU, but somebody else should 1) format this
bug according to https://wiki.ubuntu.com/SRU 2) test the resulting
package.

** Also affects: pdns-recursor (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: pdns-recursor (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: pdns-recursor (Ubuntu Xenial)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1646538

Title:
  pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Status in pdns-recursor package in Ubuntu:
  Triaged
Status in pdns-recursor source package in Xenial:
  Triaged

Bug description:
  The pdns-recursor in Xenial returns this:

      $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

  While it should return this:

      ...
      umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.87
      umcg-nl.mail.protection.outlook.com. 10	IN A	213.199.154.23

  Because the relevant NS returns FORMERR (it doesn't support EDNS):

      $ dig A umcg-nl.mail.protection.outlook.com. \
          @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
      ...
      ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
      ...
      ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

  This has been fixed in later versions of pdns, specifically here:

  https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

  After applying that patch onto 4.0.0~alpha2-2, pdns-recursor behaves
  as expected and returns the correct A records.


  This bug manifested itself in our case through Postfix not being able
  to send mail to Office 365 domains. When postfix tried to enable
  optional DNSSEC validation -- which it did because of a builtin
  default -- the A record lookups would start to fail, and this failure
  would be cached for non-EDNS lookups as well.

  See original discussion here:
  http://postfix.1071664.n5.nabble.com/EDNS-DANE-trouble-with-Microsoft-mail-protection-outlook-com-td87331.html#a87353
  "EDNS / DANE trouble with Microsoft mail.protection.outlook.com."

  Attached, the patch that appears to fix the problem.

  IMHO, Xenial (being an LTS) needs to get this fixed. Either by
  updating from 4.0.0 to something more recent, or by applying this
  patch.

  Cheers,
  Walter Doekes
  OSSO B.V.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1646538/+subscriptions