Slashdot Mirror
DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix (theregister.co.uk)
Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.
Bullshit.
Disallowing underscores violates RFC2782.
The explanation is that input validation shows that Netflix is using illegal server names, and so this is really a Netflix issue, and is not a problem with systemd at all. In fact systems that access their illegally named servers are the ones with the bug.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Any explanation for this piece of shit problem, asshole?
Because he's technically correct, which is the best kind of correct... The DNS specification expressly prohibits the use of the underscore character in domain names. It's netflix that's at fault here, more than anything else.
...si hoc legere nimium eruditionis habes...
Underscores are not allowed in domain names.
That has not been the case and is not the case currently. RFC 2181 dictates differently and more specifically section 11 of said RFC.
The systemd fan club's response is that underscores are not allowed in DNS, and that this is ultimately a libidn2 bug.
Both of these excuses are claptrap.
Underscores are not valid in hostnames. They are valid in DNS labels.
It is not the DNS resolver's job to translate internationalized domain names. It is the application's job to do so. The DNS resolver's job is to resolve the request. Full stop. Ten year old versions of bind will happily process, and pass on, internationalized domain name. This is because internationalized domain names gets transcoded into ASCII-compatible encoding and THAT's what in DNS.
The way that it should work is as follows: an application, such as a web browser, translates an international domain name into ASCII-encoded hostname, and then looks it up in DNS. It would be the application's responsibility to use libidn2, or some other equivalent, to do the translation.
A typical systemd fail.
Exactly how is this insightful? The parent is going on a rant about systemd when it was libidn2 that had the bug.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
No, the real problem is that Netflix violated RFC 1034 section 3.5 and RFC 1035 section 2.3.1, which both explicitly say that hostnames must still conform to the old ARPANET restrictions, which allow only letters, numbers, and hyphens. Underscores have never been legal in DNS hostnames, and in spite of the pain this spec-compliant behavior has caused for some users, the systemd behavior is correct, and Netflix needs to fix whatever broken software they have that incorrectly created an invalid hostname containing an underscore.
The remarkable thing, frankly, is that any DNS resolver resolved that address, and more significantly, that the DNS servers actually responded to the request.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Nope. You misread it. That RFC says:
Which is to say that legal DNS labels may not include underscores. They are exclusively allowed for non-hostname types, such as service records, and they specifically chose that character for this use to ensure that it cannot conflict with any legal DNS name.
Check out my sci-fi/humor trilogy at PatriotsBooks.
NO SHIT! Did you even bother to read the comment before replying to it, and before wrongly criticizing it?! OBVIOUSLY NOT! The comment you didn't read, yet still replied to, contained the following:
It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.
By choosing to use this foreign library, the foreign library code effectively becomes part of systemd. If a user invokes systemd to perform some action, but systemd does the wrong thing because it uses a broken library, then it's both the library that's broken and it's systemd that's broken. Systemd can't be excused just because it uses a broken library. It's a problem with systemd as much as it is with the foreign library.
Actually, the bug is not in libidn, but in libidn2. Or rather was – it got fixed rather quickly – https://gitlab.com/libidn/libi...
As for systemd, it uses libidn by default. libidn2 support is marked as experimental – reasonable decision as this bug shows.
The submitted article is pure flamebait - this is not a bug in systemd suite, but in 3rd party library; to experience this (already fixed) bug, distribution would have to have enabled experimental option. No sane distro does that.
Nb. The Register articles with even a passing mentions of systemd are terribly misleading and often blatantly false.
:wq
Apparently you didn't read the RFCs, which do not say at all that "hostnames" "must" conform to anything. What they both say is that compatibility will be maximized if you use the host name syntax. RFC 2181 is also painfully clear that a DNS owner name may contain any octets at all. There is nothing remarkable about servers responding to such host names: they're supposed to.
Indeed the "underscore name" convention is so important that it is how SRV records even work.
_But_, and this is the key point, such names are not legal LDH names, which is what libidn2 is expecting. LDH names contain only letters, digits, and hyphens, and it's a foolish sysadmin who attempts to use some kinds of names (things that resolve directly to A or AAAA and probably CNAME or maybe DNAME and so on) that do not conform to LDH. This fact is what led IDNA to be invented: there's nothing preventing just looking up UTF-8 names in the DNS except that there's a lot of stuff that will probably break.
And there remains the question of why in the heck systemd is involved in all of this. Systemd is the Windows registry of the Linux world.