[Bug 1646538] [NEW] pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

wdoekes Thu, 01 Dec 2016 08:31:37 -0800

Public bug reported:

The pdns-recursor in Xenial returns this:


    $ dig A umcg-nl.mail.protection.outlook.com. @127.0.0.1 +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57895

While it should return this:

    ...
    umcg-nl.mail.protection.outlook.com. 10     IN A    213.199.154.87
    umcg-nl.mail.protection.outlook.com. 10     IN A    213.199.154.23

Because the relevant NS returns FORMERR (it doesn't support EDNS):

    $ dig A umcg-nl.mail.protection.outlook.com. \
        @ns1-proddns.glbdns.o365filtering.com. +edns +dnssec
    ...
    ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1004
    ...
    ;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec 
+noedns'

This has been fixed in later versions of pdns, specifically here:

https://github.com/PowerDNS/pdns/commit/9d534f2a12defc44d2a79291bf34b82e5ee28121

After applying that patch onto 4.0.0~alpha2-2, pdns-recursor behaves as
expected and returns the correct A records.


This bug manifested itself in our case through Postfix not being able to
send mail to Office 365 domains. When postfix tried to enable optional
DNSSEC validation -- which it did because of a builtin default -- the A
record lookups would start to fail, and this failure would be cached for
non-EDNS lookups as well.

See original discussion here:
http://postfix.1071664.n5.nabble.com/EDNS-DANE-trouble-with-Microsoft-mail-protection-outlook-com-td87331.html#a87353
"EDNS / DANE trouble with Microsoft mail.protection.outlook.com."

Attached, the patch that appears to fix the problem.

IMHO, Xenial (being an LTS) needs to get this fixed. Either by updating
from 4.0.0 to something more recent, or by applying this patch.

Cheers,
Walter Doekes
OSSO B.V.

** Affects: pdns-recursor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: patch

** Patch added: "9d534f2a12defc44d2a79291bf34b82e5ee28121.patch"
   
https://bugs.launchpad.net/bugs/1646538/+attachment/4785809/+files/9d534f2a12defc44d2a79291bf34b82e5ee28121.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1646538

Title:
  pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pdns-recursor/+bug/1646538/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1646538] [NEW] pdns-recursor 4.0.0~alpha2-2 fails on FORMERR response to EDNS query

Reply via email to