** Description changed: [impact] when talking to upstream nameservers, systemd-resolved limits its advertised max packet size as 512 in its edns0 opt. However, one of the primary benefits of edns0 is to allow using packet sizes larger than 512, which is the pre-edns0 max packet size. this results in systemd-resolved failing to handle responses larger than 512 with udp/edns0, and having to fall back to tcp. This is not optimal (since tcp dns imposes significantly higher overhead) and may even cause failures, if a firewall allows udp dns but blocks tcp dns traffic. [test case] enable debug logging in systemd-resolved, with 'sudo systemctl edit systemd-resolved' and then add: [Service] Environment=SYSTEMD_LOG_LEVEL=debug then save that file and restart systemd-resolved (or reboot). Make sure to flush the cache and reset server features before reproducing: $ sudo resolvectl flush-caches $ sudo resolvectl reset-server-features Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see if it used TCP fallback or not: ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP. ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1. Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1 A correct lookup using larger EDNS0 response size looks like: ... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS). Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1 ... [regression potential] failure to correctly look up dns records, or other problems while performing dns lookups with systemd-resolved [scope] - this is needed for all releases + this is needed in impish and earlier - this still needs fixing upstream: + this is fixed in jammy at commit + 22545a74c3a24395bc6e894fe6a681deb66d434c + + this is fixed upstream by commit + 526fce97afe130f71dba3bd4646196bbb1188b82 which in included in v250, so + this is fixed in kinetic and later + + the upstream PR is: https://github.com/systemd/systemd/pull/20528
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1940715 Title: systemd-resolved restricts edns0 advertised max size to 512 Status in systemd: Fix Released Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Bionic: In Progress Status in systemd source package in Focal: In Progress Status in systemd source package in Hirsute: Won't Fix Status in systemd source package in Impish: Confirmed Bug description: [impact] when talking to upstream nameservers, systemd-resolved limits its advertised max packet size as 512 in its edns0 opt. However, one of the primary benefits of edns0 is to allow using packet sizes larger than 512, which is the pre-edns0 max packet size. this results in systemd-resolved failing to handle responses larger than 512 with udp/edns0, and having to fall back to tcp. This is not optimal (since tcp dns imposes significantly higher overhead) and may even cause failures, if a firewall allows udp dns but blocks tcp dns traffic. [test case] enable debug logging in systemd-resolved, with 'sudo systemctl edit systemd-resolved' and then add: [Service] Environment=SYSTEMD_LOG_LEVEL=debug then save that file and restart systemd-resolved (or reboot). Make sure to flush the cache and reset server features before reproducing: $ sudo resolvectl flush-caches $ sudo resolvectl reset-server-features Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see if it used TCP fallback or not: ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP. ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1. Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1 A correct lookup using larger EDNS0 response size looks like: ... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS). Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1 ... [regression potential] failure to correctly look up dns records, or other problems while performing dns lookups with systemd-resolved [scope] this is needed in impish and earlier this is fixed in jammy at commit 22545a74c3a24395bc6e894fe6a681deb66d434c this is fixed upstream by commit 526fce97afe130f71dba3bd4646196bbb1188b82 which in included in v250, so this is fixed in kinetic and later the upstream PR is: https://github.com/systemd/systemd/pull/20528 To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1940715/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
