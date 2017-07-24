DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix (theregister.co.uk) 84
Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.
But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.
But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.
One has to wonder what other subtle bugs are in systemd. Purely unintentionally, of course. No TLAs would want an opportunity to widely disseminate new bugs into vast numbers of systems.
People read headlines on Slashdot? I just look at comment numbers and pop in, I really think this crypto currency stuff is getting dangerous. We need more Net Neutrality, because it will fix the problem with congress leaving too many tweets for Kaspersky to hack the elections.. appy apps? O.o
But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.
I believe the edge case is Netflix viewers running systemd, not just users with systemd. Sure many people view Netflix via Linux, but I doubt it is a significant portion of all Netflix viewers, thus an edge case. Offended by being referred to as an edge case? Perhaps "edge case" is a bit too much troll as the parent post is getting modded, "relatively minor case" may be more accurate.
Any yeah, systemd still sucks, but doesn't warrant sensationalized headlines.
Nor does it deserve the title Everyone's favorite init tool
Personally, I read that as sarcasm. I still presume it was intended that way.
The problem is systemd breaking unexpectedly (Score:5, Insightful)
The real problem here isn't that a handful of Linux users couldn't use Netflix.
The real problem is that, yet again, systemd has been involved in critical functionality breaking in an unusual and unexpected way.
It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.
There's no reason for systemd to be involved with resolving domain names. Linux got by just fine throughout the 1990s, the 2000s, and even a big part of the 2010s without systemd being involved. Yet now that systemd is involved, things are going to hell.
Long time Linux users will be very aware of how problematic systemd so often is in the dumbest of ways.
Maybe somebody who just started using Linux in the systemd era thinks it's acceptable for their system to sometimes not boot properly, or for the domain name resolution to break unexpectedly. But long time Linux users know it wasn't like that before systemd was forced on the Linux community, and they know that such breakage is just not acceptable.
This is just the latest in a long chain of problems involving systemd. It has gotten to the point where Linux's reliability is below that of the BSDs, of macOS, and as much as I hate to say it, even modern versions of Windows!
Systemd needs to go, at least from important distros like Debian and Ubuntu. If Fedora wants to screw around with systemd, then so be it. But the other distros should remove it immediately.
Hear, hear!
Why the hell does an init system need a built-in DNS resolver anyway?
No, the real problem is that a library, Libidn, that's used by resolver libraries including that apparently shipped with systemd has a bug in it. The library dates back to 2002, it's not even as if systemd was relying upon some bleeding edge library written specifically for it. And yes, it's best practices, when implementing something like international domains to use a respected third party library rather than trying to roll your own, so they haven't made an error in relying upon it.
This has nothing to
No, the real problem is that Netflix violated RFC 1034 section 3.5 [ietf.org] and RFC 1035 section 2.3.1 [ietf.org], which both explicitly say that hostnames must still conform to the old ARPANET restrictions, which allow only letters, numbers, and hyphens. Underscores have never been legal in DNS hostnames, and in spite of the pain this spec-compliant behavior has caused for some users, the system
systemd & network layer (Score:2)
Does systemd recognize IPv6? Can that be the issue?
Not a bug (Score:5, Insightful)
Underscores are not allowed in domain names. Some resolvers allow them for historical reasons, because they were common in Microsoft environments that defaulted to converting a space to an underscore when entering the hostname on initial configuration, back when Microsoft thought that everybody would be using Microsoft Network and not Internet.
But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.
libidn (internationalized domain names, punycode) do not use them either, and if it rejects them, all the better.
If we're on the subject of what's wrong with this hostname, I'll add that they put "ipv6" in the hostname itself and yet it can resolve to an ipv4 address.
Re:Not a bug (Score:5, Insightful)
Don't expect the hostname to match functionality. One of the companies I have to download patches from every now and then have their ftp server named wwwonly.
That said, and back to topic, underscores can be used in DNS, but not for hostnames, only for other services. Hostnames are restricted by rfc1123. So if it returned an SRV record or similar, it would be fine.
But don't name a host with an underscore.
Re:Not a bug (Score:5, Insightful)
But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.
Although apparently the behavior that it has is to strip out the offending characters and then try to resolve the result, which doesn't make a whole lot of sense either.
From the bug, it looks like the problem is caused by linking with libidn2, and support for that was marked as "experimental" in systemd, so this really doesn't matter much. You shouldn't be enabling experimental features in software unless you're willing to deal with potential problems.
Bullshit.
Disallowing underscores violates RFC2782.
But once it's published, it's pretty much ratified. Here's the mess https://www.ietf.org/rfc/rfc31... [ietf.org]
Underscores are not allowed in domain names.
Re:Not a bug (Score:4, Informative)
Underscores are not allowed in domain names.
That has not been the case and is not the case currently. RFC 2181 dictates differently and more specifically section 11 of said RFC. [ietf.org]
Re: (Score:2)
I don't know who the AC person was that decided to go full on retard there is, but it's just simple misunderstanding on my part. You are correct in that hostnames cannot have underscore. I'll leave this here [sourceforge.net] for all the other parts of DNS that do allow underscore. That said, my confusion was taking sub-domain and mixing it with hostname. Honest mistake on my part.
[This discussion](https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it) on StackOverflow seems to disagree with that statement. I don't really understand the specifics of it and don't really have time to delve into them right now, but the basics are that while using an underscore is illegal in a host name, it is not illegal to use one in a domain name (I'm not sure of how the difference is discerned here). I'm not saying you're wrong, but it seems like there is c
Re: (Score:2)
The problem is, Poettering doesn't subscribe to Netflix. If he did, this problem wouldn't have happened
Actually, the "fact" that underscores are illegal in DNS names is a myth, although it does have a kernel of truth to it. The relevant standards for hostnames (as in, the hostname of a server machine in the general case outside of DNS, e.g. as returned by the Linux command 'hostname') disallows underscores. However, the DNS system *does* allow underscores for DNS labels (the fragments of domainnames) in general, and in fact they're explicitly used in certain standard cases (e.g. SRV records under names lik
Re: (Score:2)
Yes, they can be (and are) used for other lookup data, but It's fairly common practice to reject them for A and AAAA records, because those are by definition hostname lookups, and hostnames on the internet cannot contain underscores.
When's sshd getting incorporated? (Score:2, Funny)
I hear that Poettering has declared ssh a "broken concept", and so he's going to pull telnetd into systemd instead and permanently block port 22.
Does anyone know if they've settled on a timeline for pulling all SSH into systemd as well?
I think right after they pull systemd into emacs.
Anyone can figure out how to quit out of vim.
Early emacs users were unable to quit out of emacs, and had to resort to rebuilding all OS and application functions using emacs lisp.
Any explanation for this piece of shit problem, asshole?
Because he's technically correct, which is the best kind of correct... The DNS specification expressly prohibits the use of the underscore character in domain names. It's netflix that's at fault here, more than anything else.
Re: (Score:3)
Underscores are not allowed in top level domains names, for example you can't register example_domain.com.
However, in sub-domains they are perfectly legal. For example: my_subdomain.example.com is perfectly valid.
Any explanation for this piece of shit problem, asshole?
Yes. libidn2 is not a default and is marked as experimental and not ready for use. Also libidn2 isn't maintained Poettering.
Now what would interest far more people is, do you have an explanation for being an unbearable cunt?
i can see it now: (Score:2)
Slashdot:
Lennart: well yes I see how you could think that but once you use OpenRC it becomes very apparent that this bug disappears and is resolved, so of course, its not a bug.
Actually opened and marked as as a known issue by developers themselves as news long before some idiot user compiled a non-default setup with an experimental library and was SHOCKED! SHOCKED! I tell you, that he found a bug.
So reading between the lines... (Score:4, Funny)
"A Gentoo users
... recompiled a component... everything is working OK now".
How is this not working as designed?
systemd = not-invented-here anti-UNIX botnet trash
Hey "Everyone's Favorite Init Tool" ? (Score:2)
I assume the poster wanted to be funny, right ?
Or is it one of those "black is white", "up is down" orwellian thing ?
Living in interesting times....
systemd networkmanager also does not do server stu (Score:2)
systemd network manager also does not do server stuff to well like bonding / bridging / etc.
Yes, it is a bug (Score:2)
The systemd fan club's response is that underscores are not allowed in DNS, and that this is ultimately a libidn2 bug.
Both of these excuses are claptrap.
Underscores are not valid in hostnames. They are valid in DNS labels.
It is not the DNS resolver's job to translate internationalized domain names. It is the application's job to do so. The DNS resolver's job is to resolve the request. Full stop. Ten year old versions of bind will happily process, and pass on, internationalized domain name. This is because i
It's not just that underscores are valid. They are *required* for some uses of DNS. For example DKIM and DMARC records.
So let me get this straight (Score:2)
A bug was noted in an optional library that wasn't default for any release of systemd.
... wait for it, this is the best part ... he notices a bug.
The following release of systemd downgraded support of the optional unused library libidn2 to experimental.
A pull requested was put in the bug tracker by the maintainer (not Poettering) to fix this in the future.
Some dude compiles a piece of software with an experimental library and
It makes front page news and Slashdot users start frothing from their mouth in the
You missed a step.
* thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.
Why in the FUCK (Score:2)
Why in the FUCK is your init system messing with this type of shit?
What's next? Will you add an email client?
Train Wreck (Score:4, Interesting)
It's abundantly clear that systemd-resolved has quickly become a train wreck. It's inclusion in Ubuntu 16.10 was widely lamented [dns-oarc.net] and many folks have pointed out huge concerns for several [launchpad.net] different [github.com] assumptions [github.com] that it makes for fallbacks and erroneous configurations. That's not including the several [github.com] different [slashdot.org] bugs [launchpad.net] that have plagued systemd-resolved thus far. Granted many of them are fixed but with the breakage what have we bought? Something that's a pretty basic task now requiring patch after patch. Additionally, what has this solved? Now we can make DNS configuration a bit easier to integrate across the board?
The bad rep that systemd especially resolved has obtained isn't just simply one where grey breads say "it's too different". It is one that time and time again, ignorant assumptions, bloated egos, and hasty code have led to a general distrust, especially when tools that have always worked are suddenly not working or worse still, become methods for exploits. I still think systemd is a vast improvement over the "ye olde init scripts", but while the idea is commendable, it's execution has been somewhat lack luster to put it mildly. There needs to be a serious "Come to Jesus" moment for the systemd team. You need to build trust if your going to build something that's rewriting the books. This is just another example of how that trust is being chipped away. Complexity of the task at hand aside, either the team is up to delivering or they are not. This ostinato where breakage just keeps happening needs a serious all hands or something to restore trust in the team guiding this project. Poettering, you are doing no favors to yourself nor your team by these stories. Deliver us from the hell of bad init if that's what you seek, but don't plunge us deeper into a different hell of your making and say that it's alright because you're the one who built it.
OES/SLES had this issue too (Score:2)
brain tumor legacy regression (Score:2)
Slashdot has gone through bad patches where it jumped the shark twice a week. I sure hope this story isn't a harbinger of leprosy remission.
Quite clearly, an adult is any person who survives much beyond his or her first frat party—which would put drinking ahead of cancer (sub category: tobacco), heart disease, and old age.
But here, "adult" is immediately redefined in the story body as "working-age adults (22-64 years old)".
