Greetings, I'm not sure whether I am doing something wrong so I'd rather get someone's opinion before submitting a bug report.
Since the upgrade to f33 I replaced my stubby setup with systemd-resolved since it is now the default. I was OK with that change since I didn't lose functionality compared to my previous setup. But it is breaking getaddrinfo() and IP address resolution in general, and that's an annoying regression. With varnish we use getaddrinfo() for both IP addresses and domain names, optionally we may set the numeric flag but otherwise it used to work out of the box. Now if I try to resolve an IP address without the numeric flag it hangs, never receiving a response from systemd-resolved: > #0 0x00007f011ed8690e in ppoll () from /lib64/libc.so.6 > #1 0x00007f011c8604f6 in bus_poll.lto_priv () from /lib64/libnss_resolve.so.2 > #2 0x00007f011c860f86 in sd_bus_call () from /lib64/libnss_resolve.so.2 > #3 0x00007f011c85b249 in _nss_resolve_gethostbyname4_r () from > /lib64/libnss_resolve.so.2 > #4 0x00007f011ed7a397 in gaih_inet.constprop () from /lib64/libc.so.6 > #5 0x00007f011ed7b269 in getaddrinfo () from /lib64/libc.so.6 I checked with dig(1) and got the same behavior, so it happens regardless of the method, be it via the DBUS/libnss_resolve route or straight UDP: $ dig getfedora.org | grep -e HEADER -e SERVER ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6462 ;; SERVER: 127.0.0.53#53(127.0.0.53) $ dig +timeout=1 1.1.1.1 ; <<>> DiG 9.11.24-RedHat-9.11.24-2.fc33 <<>> +timeout=1 1.1.1.1 ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig +timeout=1 @1.1.1.1 1.1.1.1 | grep -e HEADER -e SERVER ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51616 ;; SERVER: 1.1.1.1#53(1.1.1.1) $ dig +timeout=1 @8.8.8.8 1.1.1.1 | grep -e HEADER -e SERVER ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40077 ;; SERVER: 8.8.8.8#53(8.8.8.8) I'm not getting an answer from systemd-resolved when I try to query an IP address, despite recursive resolvers replying with NXDOMAIN. This is the case for my network's resolver, not just the 1.1.1.1 and 8.8.8.8 examples I gave above. The resolved.conf(5) manual is rather short, and I'm not seeing anything obvious that could explain this behavior. At best, I could assume a DoS mitigation, refusing to resolve blatantly invalid domains, but that's breaking the automatic getaddrinfo() fallback to resolving the numeric IP. In particular, when my recursive resolver doesn't make a big deal about it, I'd rather get a timely NXDOMAIN. Any ideas? Thanks, Dridi _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
