Re: [Dnsmasq-discuss] wrong response code for no SRV record
Hi Rob, Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Thanks and Regards, Rahul. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Simon Kelley wrote: I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? On Sat, May 01, 2010 at 02:59:25PM +0530, Rahul Amaram wrote: Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Show the dig(1) results to demonstrate this. # dig +short _kerberos-master._udp.example.com SRV [Request forwarded to upstream server] # echo 'srv-host=_kerberos-master._udp.example.com' /etc/dnsmasq.conf # /etc/init.d/dnsmasq restart Restarting DNS forwarder and DHCP server: dnsmasq. # dig +short _kerberos-master._udp.example.com SRV 0 0 1 . [Response from dnsmasq. I want this response to be NXDOMAIN) # Is EXAMPLE.COM your company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in the form of any RR type, SRV or otherwise? EXAMPLE.COM is the kerberos realm. I could even have SYNOVEL.COM as the realm. Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is EXAMPLE.COM it looks up _kerberos-master._udp.example.com. If the kerberos realm is SYNOVEL.COM, it looks up _kerberos-master._udp.synovel.com. Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced withROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Useless. NXDOMAIN, as Simon explained, means that there is no record of any RR type for the given name. If you want NXDOMAIN, define yourself as authoritative for any level of the parent domain[s] in question. local=/EXAMPLE.COM/ or, if you only want the SRV subdomains: local=/_tcp.EXAMPLE.COM/ local=/_udp.EXAMPLE.COM/ Then, any name NOT defined under those domains will be NXDOMAIN. I suspect you have misdiagnosed your original issue. Thanks. This solution works perfectly. I have added local=/_tcp.EXAMPLE.COM/ to dnsmasq.conf and now I am able to get the desired result.
Re: [Dnsmasq-discuss] wrong response code for no SRV record
Hi Rob, local=/_kerberos-master._udp.example.com/ works like a charm. Really appreciate all the help. Thanks and Regards, Rahul. /dev/rob0 wrote: On Tue, May 04, 2010 at 03:29:27PM +0530, Rahul Amaram wrote: Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result That's good, glad to hear it. though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Something like address=/_kerberos-master._udp.example.com/nxdomain Actually I think this would work, but I'm not able to try it now: local=/_kerberos-master._udp.example.com/ With no listings in /etc/hosts that should return NXDOMAIN, not consulting upstream servers. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is The difference is the leading underscore on the second segment, ._udp. versus .udp.
Re: [Dnsmasq-discuss] wrong response code for no SRV record
Hi Simon, Continuing with my previous discussion, I propose we have a configuration parameter such as srv-host-nxdomain or nxdomain-hosts using which we can force dnsmasq to force to return NXDOMAIN for any domains that we want to. What do you think? Regards, Rahul. On Saturday 01 May 2010 02:59 PM, Rahul Amaram wrote: Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced with ROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Simon Kelley wrote: Rahul Amaram wrote: Hi, I think I have found a bug in dnsmasq though I am not sure if this is the anticipated way it works. In /etc/dnsmasq.conf, it is mentioned: # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com which means when a query for this record is made it is supposed to send a NXDOMAIN reply but this does not happen. I am attaching a patch which makes it behave this way. Kindly review it and let me know if I have misinterpreted something. Looking forward to an early reply. I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? Cheers, Simon.
Re: [Dnsmasq-discuss] wrong response code for no SRV record
Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced with ROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Simon Kelley wrote: Rahul Amaram wrote: Hi, I think I have found a bug in dnsmasq though I am not sure if this is the anticipated way it works. In /etc/dnsmasq.conf, it is mentioned: # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com which means when a query for this record is made it is supposed to send a NXDOMAIN reply but this does not happen. I am attaching a patch which makes it behave this way. Kindly review it and let me know if I have misinterpreted something. Looking forward to an early reply. I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? Cheers, Simon.
[Dnsmasq-discuss] wrong response code for no SRV record
Hi, I think I have found a bug in dnsmasq though I am not sure if this is the anticipated way it works. In /etc/dnsmasq.conf, it is mentioned: # A SRV record indicating that there is no LDAP server for the domain # example.com #srv-host=_ldap._tcp.example.com which means when a query for this record is made it is supposed to send a NXDOMAIN reply but this does not happen. I am attaching a patch which makes it behave this way. Kindly review it and let me know if I have misinterpreted something. Looking forward to an early reply. Regards, Rahul. --- dnsmasq-2.52.orig/src/rfc1035.c 2010-01-21 19:52:30.0 +0530 +++ dnsmasq-2.52/src/rfc1035.c 2010-04-29 16:42:36.0 +0530 @@ -1516,17 +1516,19 @@ if (rec-issrv hostname_isequal(name, rec-name)) { found = ans = 1; + if (!rec-target) + nxdomain = 1; if (!dryrun) { unsigned int offset; log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, SRV); - if (add_resource_record(header, limit, trunc, nameoffset, ansp, daemon-local_ttl, + if (rec-target + add_resource_record(header, limit, trunc, nameoffset, ansp, daemon-local_ttl, offset, T_SRV, C_IN, sssd, rec-priority, rec-weight, rec-srvport, rec-target)) { anscount++; - if (rec-target) - rec-offset = offset; + rec-offset = offset; } } }