Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Entertainment Linux

DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix (theregister.co.uk) 292

Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.
This discussion has been archived. No new comments can be posted.

DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix

Comments Filter:
  • Not a bug (Score:5, Insightful)

    by arth1 ( 260657 ) on Monday July 24, 2017 @11:06AM (#54867451) Homepage Journal

    Underscores are not allowed in domain names. Some resolvers allow them for historical reasons, because they were common in Microsoft environments that defaulted to converting a space to an underscore when entering the hostname on initial configuration, back when Microsoft thought that everybody would be using Microsoft Network and not Internet.

    But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

    libidn (internationalized domain names, punycode) do not use them either, and if it rejects them, all the better.

    • If we're on the subject of what's wrong with this hostname, I'll add that they put "ipv6" in the hostname itself and yet it can resolve to an ipv4 address.

      • Re:Not a bug (Score:5, Insightful)

        by arth1 ( 260657 ) on Monday July 24, 2017 @11:15AM (#54867531) Homepage Journal

        Don't expect the hostname to match functionality. One of the companies I have to download patches from every now and then have their ftp server named wwwonly.

        That said, and back to topic, underscores can be used in DNS, but not for hostnames, only for other services. Hostnames are restricted by rfc1123. So if it returned an SRV record or similar, it would be fine.
        But don't name a host with an underscore.

    • Re:Not a bug (Score:5, Insightful)

      by aardvarkjoe ( 156801 ) on Monday July 24, 2017 @11:11AM (#54867499)

      But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

      Although apparently the behavior that it has is to strip out the offending characters and then try to resolve the result, which doesn't make a whole lot of sense either.

      From the bug, it looks like the problem is caused by linking with libidn2, and support for that was marked as "experimental" in systemd, so this really doesn't matter much. You shouldn't be enabling experimental features in software unless you're willing to deal with potential problems.

    • by OzPeter ( 195038 )

      Underscores are not allowed in domain names.

      But .. but .. but .. systemd!!!!!!

    • Re: (Score:2, Informative)

      Underscores are not allowed in domain names.

      That has not been the case and is not the case currently. RFC 2181 dictates differently and more specifically section 11 of said RFC. [ietf.org]

      • It says no such thing. Learn to read.
        • I don't know who the AC person was that decided to go full on retard there is, but it's just simple misunderstanding on my part. You are correct in that hostnames cannot have underscore. I'll leave this here [sourceforge.net] for all the other parts of DNS that do allow underscore. That said, my confusion was taking sub-domain and mixing it with hostname. Honest mistake on my part.

        • RFC2181.

          The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record.

      • No it doesn't. That section of RFC 2181 says that a DNS server isn't allowed to refuse to serve a zone because a DNS label in the zone isn't a valid hostname. It does not say that any valid DNS label is a valid hostname, and it does not say that a DNS client must resolve an invalid hostname. If fact, RFC 2181 doesn't define what is or is not a valid hostname at all - for that you should consult RFC 952 (with a small amendment in RFC 1123).

        Basically, you are allowed to use whatever you want as a DNS label bu

        • Urgh, sorry - I just expanded an abbreviated reply to Zero__Kelvin and see that it's you showing that you already know all that. Sorry for lecturing you on something you already understand.

        • It says a bit more than that.
          It says, essentially, that any name label is valid for any RR, and it is up to the client to determine whether or not it considers it valid for resolution.
          In this instance, Netflix is the client. It considers that name valid for its service, and is well within its rights to do so. In the instance that they published that as a URL for you to put into your browser, they would be stepping into bad-netizen territory.

          The real issue here has nothing to do with resolvers. All resol
    • [This discussion](https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it) on StackOverflow seems to disagree with that statement. I don't really understand the specifics of it and don't really have time to delve into them right now, but the basics are that while using an underscore is illegal in a host name, it is not illegal to use one in a domain name (I'm not sure of how the difference is discerned here). I'm not saying you're wrong, but it seems like there is c

    • The problem is, Poettering doesn't subscribe to Netflix. If he did, this problem wouldn't have happened :D

    • by Vihai ( 668734 )

      Underscores are not valid in hostnames but are totally legitimate in DNS labels. SRV records come to mind.

      • by arth1 ( 260657 )

        Underscores are not valid in hostnames but are totally legitimate in DNS labels. SRV records come to mind.

        Absolutely, but this was about A/AAAA records.

        Getting a DNS response to an A record query for a hostname with an underscore is as wrong as getting a DNS response to a PTR record for 21.43.65.987.in-addr.arpa

  • Does anyone know if they've settled on a timeline for pulling all SSH into systemd as well?
    • I hear that Poettering has declared ssh a "broken concept", and so he's going to pull telnetd into systemd instead and permanently block port 22.

    • by zm ( 257549 )

      Does anyone know if they've settled on a timeline for pulling all SSH into systemd as well?

      I think right after they pull systemd into emacs.

  • Comment removed based on user account deletion
    • Actually opened and marked as as a known issue by developers themselves as news long before some idiot user compiled a non-default setup with an experimental library and was SHOCKED! SHOCKED! I tell you, that he found a bug.

  • by Balial ( 39889 ) on Monday July 24, 2017 @11:22AM (#54867569) Homepage

    "A Gentoo users ... recompiled a component... everything is working OK now".

    How is this not working as designed?

  • systemd = not-invented-here anti-UNIX botnet trash

  • I assume the poster wanted to be funny, right ?

    Or is it one of those "black is white", "up is down" orwellian thing ?

    Living in interesting times....

    • by Rakarra ( 112805 )

      I assume the poster wanted to be funny, right ?

      Or is it one of those "black is white", "up is down" orwellian thing ?

      Living in interesting times....

      It was a dickweed editor trying to be snarky in a article title.

  • systemd network manager also does not do server stuff to well like bonding / bridging / etc.

    • by zdzichu ( 100333 )

      This is completely false:
      https://www.freedesktop.org/so... [freedesktop.org]

      Why do you lie?

    • by GlennC ( 96879 )

      systemd network manager also does not do server stuff...

      [satire_mode = ON]

      That's because apparently the systemd crew thinks Linux is only used in laptops and the occasional desktop, but never on a device with more than one network port.

      [satire_mode = OFF]

  • Yes, it is a bug (Score:5, Informative)

    by mrsam ( 12205 ) on Monday July 24, 2017 @11:39AM (#54867701) Homepage

    The systemd fan club's response is that underscores are not allowed in DNS, and that this is ultimately a libidn2 bug.

    Both of these excuses are claptrap.

    Underscores are not valid in hostnames. They are valid in DNS labels.

    It is not the DNS resolver's job to translate internationalized domain names. It is the application's job to do so. The DNS resolver's job is to resolve the request. Full stop. Ten year old versions of bind will happily process, and pass on, internationalized domain name. This is because internationalized domain names gets transcoded into ASCII-compatible encoding and THAT's what in DNS.

    The way that it should work is as follows: an application, such as a web browser, translates an international domain name into ASCII-encoded hostname, and then looks it up in DNS. It would be the application's responsibility to use libidn2, or some other equivalent, to do the translation.

    A typical systemd fail.

    • It's not just that underscores are valid. They are *required* for some uses of DNS. For example DKIM and DMARC records.

      • by Strider- ( 39683 )

        And the underscore was chosen to effectively put those records in a different namespace than A and AAAA records.

  • by thegarbz ( 1787294 ) on Monday July 24, 2017 @11:45AM (#54867757)

    A bug was noted in an optional library that wasn't default for any release of systemd.
    The following release of systemd downgraded support of the optional unused library libidn2 to experimental.
    A pull requested was put in the bug tracker by the maintainer (not Poettering) to fix this in the future.
    Some dude compiles a piece of software with an experimental library and ... wait for it, this is the best part ... he notices a bug.

    It makes front page news and Slashdot users start frothing from their mouth in their stupor.

    And you wonder why complaints aren't taken seriously by developers. *golfclap*

    • You missed a step.

      * thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.

      • * thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.

        Oh no I saw that step. But we've filed it with the rest of the bullshit and hyperbole in its rightful place.

  • Why in the FUCK is your init system messing with this type of shit?
    What's next? Will you add an email client?

  • Train Wreck (Score:4, Interesting)

    by slack_justyb ( 862874 ) on Monday July 24, 2017 @11:54AM (#54867813)

    It's abundantly clear that systemd-resolved has quickly become a train wreck. It's inclusion in Ubuntu 16.10 was widely lamented [dns-oarc.net] and many folks have pointed out huge concerns for several [launchpad.net] different [github.com] assumptions [github.com] that it makes for fallbacks and erroneous configurations. That's not including the several [github.com] different [slashdot.org] bugs [launchpad.net] that have plagued systemd-resolved thus far. Granted many of them are fixed but with the breakage what have we bought? Something that's a pretty basic task now requiring patch after patch. Additionally, what has this solved? Now we can make DNS configuration a bit easier to integrate across the board?

    The bad rep that systemd especially resolved has obtained isn't just simply one where grey breads say "it's too different". It is one that time and time again, ignorant assumptions, bloated egos, and hasty code have led to a general distrust, especially when tools that have always worked are suddenly not working or worse still, become methods for exploits. I still think systemd is a vast improvement over the "ye olde init scripts", but while the idea is commendable, it's execution has been somewhat lack luster to put it mildly. There needs to be a serious "Come to Jesus" moment for the systemd team. You need to build trust if your going to build something that's rewriting the books. This is just another example of how that trust is being chipped away. Complexity of the task at hand aside, either the team is up to delivering or they are not. This ostinato where breakage just keeps happening needs a serious all hands or something to restore trust in the team guiding this project. Poettering, you are doing no favors to yourself nor your team by these stories. Deliver us from the hell of bad init if that's what you seek, but don't plunge us deeper into a different hell of your making and say that it's alright because you're the one who built it.

    • by gweihir ( 88907 )

      I think the systemd team just cannot hack it. They are too dysfunctional. Systemd needs to die before something that actually improves on the classic solutions will get a chance.

  • We were bitten by this a few months ago when Microfocus (Novell)/SLES updated some dns libs. We had been using underscores since, well, forever and it worked file right up to change. It took a while to figure out what had happened. A few record/config changes later and all was well.
  • This is the issue [github.com] on systemd's github. It actually notes that they are aware of this and downgraded support for libidn2 to experimental.

    This issue isn't newsworthy. As others have noted in the comments, underscores are not supposed to be in hostnames (they can be in other DNS RRs) and is about a bug in an experimental feature in a release of systemd that is not in any stable distros. People running rolling distros using the latest versions of everything are going to experience bugs. That's not news.

    It
  • Do Linux users who use SysVinit encounter this issue?

  • The issue emerged over the weekend

    Gentoomen will get the joke. BTW, systemd is not used by default in Gentoo.

  • Back in the 1990's I was asked if .COM and .NET should continue to accept underscore in domain registrations. This was after I added "check-names" to BIND to prevent address and MX records with non-LDH names being accidentally added to zones in contravention of RFC 952 and RFC 1123 (still the current host requirement specification). I pointed out that if underscore was permitted that people would be continually having to explain why address lookups for names like "a.label_with_underscore.com" would not wor

New crypt. See /usr/news/crypt.

Working...