Ubuntu
systemd package

systemd-resolved restricts edns0 advertised max size to 512

  1. Bionic (18.04)
  2. Bug #1940715
Bug #1940715 reported by Dan Streetman
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
systemd
Fix Released
Unknown
systemd (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
New
Low
Unassigned
Focal
New
Low
Unassigned
Hirsute
Won't Fix
Low
Unassigned
Impish
Won't Fix
Undecided
Unassigned

Bug Description

[impact]

when talking to upstream nameservers, systemd-resolved limits its advertised max packet size as 512 in its edns0 opt. However, one of the primary benefits of edns0 is to allow using packet sizes larger than 512, which is the pre-edns0 max packet size.

this results in systemd-resolved failing to handle responses larger than 512 with udp/edns0, and having to fall back to tcp. This is not optimal (since tcp dns imposes significantly higher overhead) and may even cause failures, if a firewall allows udp dns but blocks tcp dns traffic.

[test case]

enable debug logging in systemd-resolved, with 'sudo systemctl edit systemd-resolved' and then add:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

then save that file and restart systemd-resolved (or reboot).

Make sure to flush the cache and reset server features before reproducing:

$ sudo resolvectl flush-caches
$ sudo resolvectl reset-server-features

Lookup 'toomany.ddstreet.org' and check systemd-resolved logs to see if it used TCP fallback or not:

...
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Reply truncated, retrying via TCP.
...
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Verified we get a response at feature level TCP from DNS server 10.202.51.1.
Aug 24 12:17:48 lp1940715-f systemd-resolved[1199]: Added positive unauthenticated cache entry for toomany.ddstreet.org IN A 1799s on eth0/INET/10.202.51.1

A correct lookup using larger EDNS0 response size looks like:

...
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using feature level UDP+EDNS0 for transaction 43808.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Using DNS server 10.202.51.1 for transaction 43808.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Sending query packet with id 43808 of size 49.
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing query...
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Received dns UDP packet of size 689, ifindex=131, ttl=0, fragsize=0
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Processing incoming packet of size 689 on transaction 43808 (rcode=SUCCESS).
Aug 24 12:28:13 lp1940715-f systemd-resolved[174]: Added positive unauthenticated non-confidential cache entry for toomany.ddstreet.org IN A 1175s on eth0/INET/10.202.51.1
...

[regression potential]

failure to correctly look up dns records, or other problems while performing dns lookups with systemd-resolved

[scope]

this is needed in impish and earlier

this is fixed in jammy at commit 22545a74c3a24395bc6e894fe6a681deb66d434c

this is fixed upstream by commit 526fce97afe130f71dba3bd4646196bbb1188b82 which in included in v250, so this is fixed in kinetic and later

the upstream PR is:
https://github.com/systemd/systemd/pull/20528

See original description
Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Bionic):
status: New → In Progress
Changed in systemd (Ubuntu Focal):
status: New → In Progress
Changed in systemd (Ubuntu Hirsute):
status: New → In Progress
Changed in systemd (Ubuntu Bionic):
importance: Undecided → Low
Changed in systemd (Ubuntu Focal):
importance: Undecided → Low
Changed in systemd (Ubuntu Hirsute):
importance: Undecided → Low
Changed in systemd (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Focal):
assignee: nobody → Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Hirsute):
assignee: nobody → Dan Streetman (ddstreet)
Dan Streetman (ddstreet)
description: updated
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in systemd:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in systemd:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu Impish):
status: New → Confirmed
Changed in systemd (Ubuntu):
status: New → Confirmed
Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Hirsute):
status: In Progress → Won't Fix
Changed in systemd (Ubuntu):
status: Confirmed → Fix Released
Dan Streetman (ddstreet)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in systemd (Ubuntu Impish):
status: Confirmed → Won't Fix
Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Hirsute):
assignee: Dan Streetman (ddstreet) → nobody
Changed in systemd (Ubuntu Focal):
assignee: Dan Streetman (ddstreet) → nobody
Changed in systemd (Ubuntu Bionic):
assignee: Dan Streetman (ddstreet) → nobody
Changed in systemd (Ubuntu Focal):
status: In Progress → New
Changed in systemd (Ubuntu Bionic):
status: In Progress → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.