Modify

Opened 8 years ago

Last modified 4 years ago

#5881 new defect

djbdns cache does not reply A record of deep CNAME chain

Reported by: moo Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version:
Keywords: djbdns dns network Cc:

Description

/etc/init.d/dnscache restart

first try:

$ dig k.pconline.com.cn

; <<>> DiG 9.4.3-P3 <<>> k.pconline.com.cn
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42319
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;k.pconline.com.cn.     IN  A

;; ANSWER SECTION:
k.pconline.com.cn.  3600    IN  CNAME   kzhidao.pconline.chinacache.net.
kzhidao.pconline.chinacache.net. 1801 IN CNAME  kzhidao.pconline.cnc.chinacache.net.

;; Query time: 3299 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Sep 22 16:06:26 2009
;; MSG SIZE  rcvd: 115

2nd try:

$ dig k.pconline.com.cn

; <<>> DiG 9.4.3-P3 <<>> k.pconline.com.cn
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58636
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;k.pconline.com.cn.     IN  A

;; ANSWER SECTION:
k.pconline.com.cn.  3587    IN  CNAME   kzhidao.pconline.chinacache.net.
kzhidao.pconline.chinacache.net. 1789 IN CNAME  kzhidao.pconline.cnc.chinacache.net.
kzhidao.pconline.cnc.chinacache.net. 120 IN A   219.136.245.211

;; Query time: 149 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Sep 22 16:06:39 2009
;; MSG SIZE  rcvd: 131

imho, it should return A record in 1 go. currently my firefox say "cannot resolve the host" at the first request, and i have to press F5/retry to get it work

Attachments (1)

330-fix-dnscache-cname-handling.patch (1.9 KB) - added by ylxuu72@… 5 years ago.
This patch fix the deep CNAME chain resolve issue, and it also includes Peter Conrad's use-after-free bug fix.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 8 years ago by jhalfmoon@…

Hi, a quick first look shows the trouble to be in the patch "200-dnscache-cname-handling.patch". I've compiled dnscache without the patch and the described symptoms are gone. As a quick workaround you can remove the specified patch from your local copy of trunk and compile without it. I'll try to make some time to find the exact cause of this. Thanks for reporting issue.

comment:2 Changed 8 years ago by jhalfmoon@…

I don't know if I can find out what is really going wrong without diving *really* deep into the dnscache code. I made some tcpdumps, one with the 'bad' patch and one without the patch. One thing I was able to conclude is that the fault is with dnscache and not with the nameservers. Although the servers do behave strangely. For example:

dig -t A +norecurse @ns2.pc.com.cn k.pconline.com.cn
# does not return cnames

dig -t A +norecurse @ns.pc.com.cn k.pconline.com.cn
# returns 2 cnames, but dnscache correctly ignores out-of-bailiwick cname

I think the problem might lie in the fact that in the 'fail' case, dnscache has received 2 cnames. Of those two, one is marked as bad, I think, because the server is not authoritative for that second cname. When dnscache eventually does receive the correct A record for k.pconline.com.cn (or at least, the alias of it's alias), the correct answer is ignored because it cached the 'bad' cname. But this is all just guessing so far.

So concluding:

  • The problem lies in the patch and not in the port;
  • It is an upstream issue. Either the 'bad' patch is fixed or removed, depending on whether the patch does more good than bad or not.

If anyone can shine some more light on this: feel free...

comment:3 Changed 6 years ago by anonymous

Peter Conrad has an updated dnscache-cname-handling.patch for this issue at http://marc.sebug.net/?l=djbdns&m=132095662002049&w=1

comment:4 Changed 5 years ago by florian

This patch does not apply to the sources we are already patching, shall we update djbdns?

comment:5 follow-up: Changed 5 years ago by jhalfmoon

Hi florian, simply replace the current file called '200-dnscache-cname-handling.patch' with the new patch by Peter Conrad and everything work just fine.

Changed 5 years ago by ylxuu72@…

This patch fix the deep CNAME chain resolve issue, and it also includes Peter Conrad's use-after-free bug fix.

comment:6 Changed 5 years ago by ylxu72@…

This patch enlarges max loop number from 100 to 150 for some Akamai CDN domain resolve failure. Such as www.apl.com , its deep CNAME chain (at China Telecom) make the 100 loops too small.

comment:7 in reply to: ↑ 5 Changed 5 years ago by ylxu72@…

Replying to jhalfmoon:

Hi florian, simply replace the current file called '200-dnscache-cname-

Peter's patch only resolve the memory issue, not this deep cname chain issue, but the patch beneath do. Please test the patch beneath and report back.

comment:8 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.