** Description changed: [impact] when talking to upstream nameservers, systemd-resolved limits its advertised max packet size as 512 in its edns0 opt. However, one of the primary benefits of edns0 is to allow using packet sizes larger than 512, which is the pre-edns0 max packet size. this results in systemd-resolved failing to handle responses larger than 512 with udp/edns0, and having to fall back to tcp. This is not optimal (since tcp dns imposes significantly higher overhead) and may even cause failures, if a firewall allows udp dns but blocks tcp dns traffic. [test case] - TBD + enable debug logging in systemd-resolved, with 'sudo systemctl edit + systemd-resolved' and then add: + + [Service] + Environment=SYSTEMD_LOG_LEVEL=debug + + then save that file and restart systemd-resolved (or reboot). + + Make sure to flush the cache and reset server features before + reproducing: + + $ sudo resolvectl flush-caches + $ sudo resolvectl reset-server-features + + Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see if + it used TCP fallback or not: + + ... + Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP. + ... + Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1. + Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1 + + A correct lookup using larger EDNS0 response size looks like: + + ... + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808. + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808. + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet. + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40 + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49. + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query... + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0 + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS). + Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1 + ... [regression potential] failure to correctly look up dns records, or other problems while performing dns lookups with systemd-resolved [scope] this is needed for all releases this still needs fixing upstream
** Description changed: [impact] when talking to upstream nameservers, systemd-resolved limits its advertised max packet size as 512 in its edns0 opt. However, one of the primary benefits of edns0 is to allow using packet sizes larger than 512, which is the pre-edns0 max packet size. this results in systemd-resolved failing to handle responses larger than 512 with udp/edns0, and having to fall back to tcp. This is not optimal (since tcp dns imposes significantly higher overhead) and may even cause failures, if a firewall allows udp dns but blocks tcp dns traffic. [test case] enable debug logging in systemd-resolved, with 'sudo systemctl edit systemd-resolved' and then add: [Service] Environment=SYSTEMD_LOG_LEVEL=debug then save that file and restart systemd-resolved (or reboot). Make sure to flush the cache and reset server features before reproducing: $ sudo resolvectl flush-caches $ sudo resolvectl reset-server-features Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see if it used TCP fallback or not: ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP. ... Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1. Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1 A correct lookup using larger EDNS0 response size looks like: ... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49. Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query... Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0 Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS). Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1 ... [regression potential] failure to correctly look up dns records, or other problems while performing dns lookups with systemd-resolved [scope] this is needed for all releases - this still needs fixing upstream + this still needs fixing upstream: + https://github.com/systemd/systemd/pull/20528 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940715 Title: systemd-resolved restricts edns0 advertised max size to 512 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1940715/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
