DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix

Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.

Not a bug

[arth1]

Underscores are not allowed in domain names. Some resolvers allow them for historical reasons, because they were common in Microsoft environments that defaulted to converting a space to an underscore when entering the hostname on initial configuration, back when Microsoft thought that everybody would be using Microsoft Network and not Internet.

But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

libidn (internationalized domain names, punycode) do not use them either, and if it rejects them, all the better.

Re:Not a bug

[omnichad]

If we're on the subject of what's wrong with this hostname, I'll add that they put "ipv6" in the hostname itself and yet it can resolve to an ipv4 address.

Re:Not a bug

[aardvarkjoe]

But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

Although apparently the behavior that it has is to strip out the offending characters and then try to resolve the result, which doesn't make a whole lot of sense either.

From the bug, it looks like the problem is caused by linking with libidn2, and support for that was marked as "experimental" in systemd, so this really doesn't matter much. You shouldn't be enabling experimental features in software unless you're willing to deal with potential problems.

Re:Not a bug

[arth1]

Don't expect the hostname to match functionality. One of the companies I have to download patches from every now and then have their ftp server named wwwonly.

That said, and back to topic, underscores can be used in DNS, but not for hostnames, only for other services. Hostnames are restricted by rfc1123. So if it returned an SRV record or similar, it would be fine.
But don't name a host with an underscore.

Re:Not a bug

[OzPeter]

Underscores are not allowed in domain names.

But .. but .. but .. systemd!!!!!!

Re:Not a bug

[slack_justyb]

Underscores are not allowed in domain names.

That has not been the case and is not the case currently. RFC 2181 dictates differently and more specifically section 11 of said RFC.

Re: Not a bug

[Zero__Kelvin]

That is a Microsoft document. Anyone can write an RFC. They don't automatically become standards.

Re: Not a bug

[Zero__Kelvin]

It says no such thing. Learn to read.

Re:Not a bug

[CastrTroy]

[This discussion](https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it) on StackOverflow seems to disagree with that statement. I don't really understand the specifics of it and don't really have time to delve into them right now, but the basics are that while using an underscore is illegal in a host name, it is not illegal to use one in a domain name (I'm not sure of how the difference is discerned here). I'm not saying you're wrong, but it seems like there is conflicting opinions out there as to whether or not the underscore is a valid character for a domain name.

Re:Not a bug

[someone1234]

The problem is, Poettering doesn't subscribe to Netflix. If he did, this problem wouldn't have happened :D

Re:Not a bug

Actually, the "fact" that underscores are illegal in DNS names is a myth, although it does have a kernel of truth to it. The relevant standards for hostnames (as in, the hostname of a server machine in the general case outside of DNS, e.g. as returned by the Linux command 'hostname') disallows underscores. However, the DNS system *does* allow underscores for DNS labels (the fragments of domainnames) in general, and in fact they're explicitly used in certain standard cases (e.g. SRV records under names like '_http._tcp.example.org', or DKIM records under 'foo._domainkey.example.org'. Therefore, at the DNS level (any DNS server, client, resolver, cache, forwarder, etc), rejecting or filtering underscores is a bug. Because of the confusion about this issue it's probably better *practice* to avoid unnecessary underscores in the DNS, but they *should* work, and in fact do for most purposes.

Re: Not a bug

[fred911]

But once it's published, it's pretty much ratified. Here's the mess https://www.ietf.org/rfc/rfc31...

Re:Not a bug

[arth1]

Yes, they can be (and are) used for other lookup data, but It's fairly common practice to reject them for A and AAAA records, because those are by definition hostname lookups, and hostnames on the internet cannot contain underscores.

Re: Not a bug

[slack_justyb]

I don't know who the AC person was that decided to go full on retard there is, but it's just simple misunderstanding on my part. You are correct in that hostnames cannot have underscore. I'll leave this here for all the other parts of DNS that do allow underscore. That said, my confusion was taking sub-domain and mixing it with hostname. Honest mistake on my part.

Re:Not a bug

[influenza]

rfc2782 is about SRV resource records. We're talking about A and AAAA resource records.

Re:Not a bug

[influenza]

RFC2181 is talking about DNS resource records in general. There are further restrictions on A and AAAA records, discussed in RFC1123 and RFC952.

Re:Not a bug

[dgatwood]

Disallowing underscores violates RFC2782.

Nope. You misread it. That RFC says:

An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature.

Which is to say that legal DNS labels may not include underscores. They are exclusively allowed for non-hostname types, such as service records, and they specifically chose that character for this use to ensure that it cannot conflict with any legal DNS name.

Re:Not a bug

[hord]

While I understand adhering to standards, I'm a bit puzzled why people are so ardently defending standards that were written in a time when big-endian was a thing, machines didn't understand "8-bit" on a network, and you still had to worry about EBCDIC. No one cares about any of that stuff any more so I'm baffled why you'd actually argue for reduced functionality rather than a more open namespace. I could use DNS names as an rDOS tactic, lol.

Re:Not a bug

[skids]

Underscores in DNS names are reserved for use in SRV and other such records, where they are mandatory, and they serve to prevent SRV records from getting confused with A and AAAA records, which are not supposed to have them. Humans are supposed to be able to tell the difference between a SRV and A/AAAA record by looking at them, without any extra markup.

Real things use SRV records. Just take a look at any pcap of any enterprise network and you'll see them flying every which way. Lots of service discovery protocols use them, which means a lot of gadgets use them as well.

Re: Not a bug

[Zero__Kelvin]

Fair enough. If I was curt, it is because Slashdot has been flooded with these anti-Linux trolls for a long time, and they always capitalize on the ignorance of others and add a healthy dose of their own ignorance into the mix. Before systemd it was any other number of other attack vectors. I am not saying systemd is perfect. It isn't supposed to be. It is evolving. But almost invariably criticism of it is based on ignorance, willful or otherwise.

Re:Not a bug

[DamnOregonian]

Wrong.
Any RR label may include an underscore, and it is a breach in etiquette and standards for any server to refuse to accept these. That behavior is left to the client, which may interpret that RR for whatever needs suit it.

RFC 2181 11. Name syntax: The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record. Similarly, any binary string can serve as the value of any record that includes a domain name as some or all of its value (SOA, NS, MX, PTR, CNAME, and any others that may be added). Implementations of the DNS protocols must not place any restrictions on the labels that can be used. In particular, DNS servers must not refuse to serve a zone because it contains labels that might not be acceptable to some DNS client programs. A DNS server may be configurable to issue warnings when loading, or even to refuse to load, a primary zone containing labels that might be considered questionable, however this should not happen by default.

You're not wrong about it not being a valid hostname.
It is not invalid to use that label for any RR record. It is invalid to name a machine ipv6_1-cxl0-c088, which I'm fairly certain doesn't refer to a machine.
It is also not invalid for any client to refuse to accept that name. It is pretty ridiculous behavior for libidn2 to strip it out, though.

Re: Not a bug

[DamnOregonian]

RFC2181.

The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record.

Re: Not a bug

[Zero__Kelvin]

Which isn't the issue here, so why are you emphasizing it? The issue is that the Netflix chosen host name violates the DNS standard by having underscores in it.

Re:Not a bug

[Zero__Kelvin]

"That systemd fails spectacularly on what is simply a data error speaks volumes for its code quality."

Calling it a "data error" is disingenuous. Call it what it is: a violation of the specification. That is like saying that if a C compiler allows de-referencing of a NULL pointer and the code works as "expected" by the person who violates the spec, then another C compiler is used that follows the spec and it doesn't work as desired anymore, then the error is with the new compiler. Seriously? Just get a clue.

Re:Not a bug

[Vihai]

Underscores are not valid in hostnames but are totally legitimate in DNS labels. SRV records come to mind.

Re:Not a bug

[hord]

Yeah... it's weird how having an A, AAAA, or SRV would signify the different record type. Someone no one ever gets confused by this except software authors of DNS.

Re:Not a bug

[Barefoot+Monkey]

No it doesn't. That section of RFC 2181 says that a DNS server isn't allowed to refuse to serve a zone because a DNS label in the zone isn't a valid hostname. It does not say that any valid DNS label is a valid hostname, and it does not say that a DNS client must resolve an invalid hostname. If fact, RFC 2181 doesn't define what is or is not a valid hostname at all - for that you should consult RFC 952 (with a small amendment in RFC 1123).

Basically, you are allowed to use whatever you want as a DNS label but if it contains anything other than letters, numbers and ASCII minus signs then it is not a hostname and you can't expect it to resolve as one (in fact, underscores are sometimes recommended as a means of preventing non-host labels from clashing with hostnames precisely because they are not valid hostnames). Netflix is the only one at fault in this particular instance because it was trying to name a host ipv6_1-cxl0-c088, which up until now has been working only by accident.

Re:Not a bug

[Barefoot+Monkey]

Urgh, sorry - I just expanded an abbreviated reply to Zero__Kelvin and see that it's you showing that you already know all that. Sorry for lecturing you on something you already understand.

Re:Not a bug

[serviscope_minor]

The problem is, Poettering doesn't subscribe to Netflix.

I'll bet because he couldn't get the sound to work.

Re:Not a bug

[arth1]

Underscores are not valid in hostnames but are totally legitimate in DNS labels. SRV records come to mind.

Absolutely, but this was about A/AAAA records.

Getting a DNS response to an A record query for a hostname with an underscore is as wrong as getting a DNS response to a PTR record for 21.43.65.987.in-addr.arpa

Re: Not a bug

[DamnOregonian]

That is in fact not the issue. The issue is that libidn2 has STD3 rules in effect by default, in the way that systemd is using it.
STD3 rule applicability is contentious for this *very reason*
You, the link you provided, and Internet Explorer all agree that you shouldn't use underscores for labels unless they're a specific kind of label. You all conform to the STD3 rules for "host names"
The rest of the internet does not, and conforms to the RFC2181 reading which says, "labels are whatever the hell the client wants them to be, and the proper behavior for a server is to pass them along unmolested."

swalker@swalker-samtop:~$ idn --usestd3asciirules ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net
idn: idna_to_ascii_4z: Non-digit/letter/hyphen in input

swalker@swalker-samtop:~$ idn -a ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net
ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net

This is a matter of IDNA/Punycode behavior and default changes between transitional/non-transitional specs and a million other very hotly debated items governing the internationalization of domain names.

Those restrictions aside, any binary string whatever can be used as the label of any resource record. Is in fact the issue here, as the RFC it is sourced from again, in no uncertain terms, specifies the behavior of DNS labels. The client should determine what is valid. Netflix is the client in this instance. It's having libidn2's IDNA STD3 rule default imposed upon it, which is bad netizen behavior for whoever made that decision, again, clearly outlined in the above mentioned RFC.

IDNA UseSTD3ASCIIRules flag (default off)

Re:Not a bug

[DamnOregonian]

It says a bit more than that.
It says, essentially, that any name label is valid for any RR, and it is up to the client to determine whether or not it considers it valid for resolution.
In this instance, Netflix is the client. It considers that name valid for its service, and is well within its rights to do so. In the instance that they published that as a URL for you to put into your browser, they would be stepping into bad-netizen territory.

The real issue here has nothing to do with resolvers. All resolvers will handle this just fine. This has to do with a flag enabled by default in the way that systemd-resolve uses libidn2, that flag, which is typically disabled when using libidn (even by default using its command line utils) is the enforcement of STD3 rules in IDNA-To-ASCII conversion.
Other than that- the systemd resolve does exactly as it should... attempts to resolve the name, even with the underscore. The problem is the STD3 rules application to the name by libidn2 gives back a mangled name.

Re:Not a bug

[DamnOregonian]

I get it now- you're shilling for systemd...
You realize that systemd's resolve doesn't give 2 squats of piss whether or not there is an underscore in one of the names when it encodes it into a DNS query?
Do you know why it doesn't? Because it *shouldn't*
This issue is with the internationalization IDNA/Punycode-to-ASCII non-transitional flags in use that are mangling the hostname before systemd's DNS resolver forwards the request.

Re:Not a bug

[DamnOregonian]

but It's fairly common practice to reject them for A and AAAA records

This is a blatant lie. That is why Netflix works.

Re: Not a bug

[Zero__Kelvin]

A DNS label is not a hostname. Underscores can be used for labels, and are, specifically because they are prohibited for use in hostnames. Good luck learning about the Internet!

Re: Not a bug

[DamnOregonian]

I'm a network engineer by trade for a large regional ISP in the Seattle area with more than 11,000 customers.
Good luck, indeed.
A DNS label is just that, a DNS label. Just as the netflix client asked for. Resolution of a DNS label. libidn2 mangled that when it handed it off to the resolver due to some well known issues in libidn2 that did not exist in libidn.

You are so far out of your league it isn't even funny. You literally have no idea what you're talking about.

Re: Not a bug

[Zero__Kelvin]

You are an incompetent idiot. The Netflix domain names are illegal. Period. End of discussion. You should probably resign.

Re: Not a bug

[DamnOregonian]

You are making the same mistake that the toolshed above you is making.
The application determining validity in this instance is email/SMTP. It is allowed to impose *any* restrictions it likes, including STD3 compliance of hostnames.

No other client software is obligated to follow those rules.
Underscores are legal for *ANY* use for *ANY* RR type. This is unambiguously stated. You don't have to consider those as valid names within your application when you determine whether or not you want to resolve them, but every layer past you, all the way to the server, should (and will) consider them valid.

Re: Not a bug

[DamnOregonian]

LOL.

I think I'll just keep being a lot more relevant than you, because I understand the concepts at play, and you simply do not.

Simply stated, "The Netflix domain names" do not have to be considered a valid label by any piece of client software. But any client may consider them valid if they so wish. Any server in the middle should transport them unmolested. This is why their scheme works- everywhere. Because the people who implement the internet, myself included, are a lot fucking smarter than you.

Re: Not a bug

[Zero__Kelvin]

Underscores are not valid in domain names, including in DNS records, and if you don't believe me you can ask Paul Vixie. Here is your sign .

Re: Not a bug

[Zero__Kelvin]

Either that or you didn't read the linked article :^)

Re: Not a bug

[DamnOregonian]

RFC2181 is authoritative for the Domain Name System, and exists precisely because fucking imbeciles such as yourself are too dim-witted to differentiate between the database that is DNS, and the conceptualization of host names and domain names and what is proper for them.
RFC2181 says clients need not care for what your rules about host names are. They don't fucking matter. Clients are able to request any kind of RR with any label. Period. You are *denied* the right to impose your validation of the use of Netflix's DNS names upon Netflix's client. You can call them invalid in whatever Visual Basic shit you wrote last week, but any implementation of the Domain Name System must honor Netflix's request for those name labels, as they are perfectly valid within the Domain Name System. You lose. Go back to the help desk, dude. Quit name dropping, and quit citing shit that doesn't even support your argument. You're embarrassing yourself.

Re: Not a bug

[Zero__Kelvin]

You should have read the link dumbfuck. You would know how stupid you sound right now. It may have escaped you, but my SlashID is much lower than yours. I was writing software in 6502 assembly before there was a DNS. Your belief that you are more knowledgeable than me is laughable, and you are a loser. The fact that you think netflix is the client is fucking hilarious. Netflix is the server; The client (s) are the web browsers requesting domain name resolution. Go read the link now so you will know what you are talking about in the future and stop being incompetent.

Re: Not a bug

[Zero__Kelvin]

In case you really want to get a clue someday. You are welcome.

Re: Not a bug

[Zero__Kelvin]

There is a validator here you can use. Go ahead and try http://are_underscores_allowed... and get your answer from HTML5 itself. I accept your apology.

Re: Not a bug

[DamnOregonian]

That is a URI validator (i don't remember any of us looking to validate URIs?!), and if you click that link, you'll note that you get a (correct) NX_DOMAIN from the DNS server you are attached to. It's not rejected due to any validation (at least on my non-shit IE browser, or system running a broken systemd resolver linked with the experimental IDN2 library). You're too fucking stupid to see how stupid you are. It's painful to watch.

Here's a fun one for you to try-
Do you control an authoritative nameserver? I do.
A recursor? me too.
Let's go ahead and see just how invalid that domain is-

The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs, for example, SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax.

Oh good- it's off by default. Makes sense. Even if it weren't, the BIND authors (including your vaunted Mr. Vixie) saw fit to recognize that there are instances where obviously you don't want restrictive rules on RRs, since, as they noted, RFC2181 removes said restrictions on DNS names/labels across the board.


Moving on...
Test rig in place.

[root@dns1 named]# dig @localhost a is_zk_a_dropout.are_underscores_allowed.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost a is_zk_a_dropout.are_underscores_allowed.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22950
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;is_zk_a_dropout.are_underscores_allowed.com. IN A

;; ANSWER SECTION:
is_zk_a_dropout.are_underscores_allowed.com. 10800 IN A 0.0.0.1

;; AUTHORITY SECTION:
are_underscores_allowed.com. 10800 IN NS dns1.are_underscores_allowed.com.
are_underscores_allowed.com. 10800 IN NS dns2.are_underscores_allowed.com.

;; ADDITIONAL SECTION:
dns1.are_underscores_allowed.com. 10800 IN A 127.0.0.1
dns2.are_underscores_allowed.com. 10800 IN A 127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 30 02:05:45 PDT 2017
;; MSG SIZE rcvd: 158

I'm going to have to accept 0.0.0.1 as a boolean yes. You are indeed a dropout.
Double checking, though...

[root@dns1 named]# host is_zk_a_dropout.are_underscores_allowed.com
is_zk_a_dropout.are_underscores_allowed.com has address 0.0.0.1

Moving on...

[root@dns1 named]# curl http://is_zk_talking_out_of_his_ass.are_underscores_allowed.com/zks_lunch.txt
Yup.

Any more questions? Other than how I got slashdot not to think that was a valid URL?

Dude- we get it. Underscores are illegal in hostnames. Many client softwares enforce this behavior, and they're free to. Nobody ever denied this. However, what a "host name" is isn't really clearly defined, or even really super relevant in today's world where things are anycast, RRs can literally hold arbitrary data, etc.
Any step between the client and the server is *barred* by RFC from applying validation to a hostname that the client or server does not want.
Do I need to post a screenshot of my browser resolving that as well, or will you just shut. the. fuck. up?

Re: Not a bug

[Zero__Kelvin]

I didn't waste my time reading your ridiculous bullshit. The URL (NOT URI) is invalid, Netflix is broken, and you are too fucking stupid to use computers. Plonk.

Re: Not a bug

[DamnOregonian]

https://nvd.nist.gov/vuln/deta...
https://www.androidcentral.com...
http://www.howardforums.com/sh...

Ever written software to live-patch a kernel? Written kernel modules with intelligence allowing them to be inserted into kernels you don't have the source or ABI for? Ever gotten a CVE for a vulnerability you discovered in an operating system used by millions of people?
Did you break what was probably one of the first cellular phone bootloader RSA signature protection schemes?

No, ZK. You have done nothing. You're a shill for pet ideas. You run around commenting about shit you know nothing about, adding zero value to anything.
You talk shit to your betters with zero understanding of how fucking irrelevant you are. There's a reason you're commonly moderated a troll. The only thing broken here is your capacity for critical thinking.

You think a lower uid gives you some kind of cred?
6502? Is that supposed to impress me? I had to write an emulator for the 6502 in school.
I had written my own DNS server before you had ever had a +5 moderated comment on Slashdot.
I was busy making my mark on the world instead of lurking on Slashdot. You're a fucking troll dude. Get a clue. Seek help. Try contributing to the world instead of arguing about shit you have no real understanding of.

Netflix is the server; The client (s) are the web browsers requesting domain name resolution.

You couldn't be more correct- and since the client (web browser/netflix) did actually make the request to the glibc nss mechanism, the glibc nss mechanism also allowed it, and forwarded it off to the systemd-resolve daemon, who also allowed it, tossed it through its punycode IDNA library, and then forwarded it to its system-configured resolver, everyone in that chain agreed it was perfectly valid. libidn2 simply had a bug where it removed the underscore. This bug is acknowledged.
You've defeated your own fucking argument so many times everyone here has lost count. You are not a very literate person. I suspect that could be corrected with a little effort on your part.

Re: Not a bug

[Zero__Kelvin]

We get it. You are an incompetent Douchebag who can't admit he is wrong. Off you go now little troll turd ...

When's sshd getting incorporated?

[Fencepost]

Does anyone know if they've settled on a timeline for pulling all SSH into systemd as well?

Re:When's sshd getting incorporated?

[aardvarkjoe]

I hear that Poettering has declared ssh a "broken concept", and so he's going to pull telnetd into systemd instead and permanently block port 22.

Re:When's sshd getting incorporated?

[zm]

Does anyone know if they've settled on a timeline for pulling all SSH into systemd as well?

I think right after they pull systemd into emacs.

Re:When's sshd getting incorporated?

[hord]

Emacs hasn't already pulled in systemd? I've always heard it was a great O/S with a pretty poor text editor.

Re:When's sshd getting incorporated?

[skids]

Yeah, you just "figure out" that colon is being used as a control character. Right.

Only crazy people think using vi as the "only editor installed everywhere" is a great idea. It is unintuitive, and a royal PITA to use. Really "J" from outside insert mode to get rid of a newline? That's beyond cretinous. I can only guess that it persists due to the more sadistic greybeards wanting to lord it over the n00bs when they find themselves on a system with no decent editors.

I purge all vi from all my personal systems just to find the broken programs that don't use $EDITOR/$VISUAL.

Re: When's sshd getting incorporated?

[lordlod]

About a year ago I was joking that they would reimplement ntp any day now. Then I discovered systemd-timesyncd.

Re:When's sshd getting incorporated?

[fisted]

Really "J" from normal mode to Join two lines? That's ... actually not very difficult to memorize.

FTFY

Re:When's sshd getting incorporated?

[gweihir]

While funny, this is about what I expect from these morons.

Re:When's sshd getting incorporated?

[skids]

Memorizing that isn't the problem with that one. Using it is. It's an anachronism in this day an age.

Re:When's sshd getting incorporated?

[fisted]

selecting your lines and pressing J.

Note that you don't need to select your lines beforehands. The line after the one the cursor is on will be joined to the line the cursor is on.

"skids" seems to have the typical "newer is better" sort of mindset, which might be appropriate for tangible products that wear out and all, but software... not so much. Newer is worse, until it's old and mature [at which point Linux fanboys like to throw it out the window because the next hip steaming pile of buggy garbage arrives].

Re:When's sshd getting incorporated?

[skids]

I would propose backspace at the beginning of the line while in insert mode.

Like every normal editor ever.

Re: When's sshd getting incorporated?

[Eunuchswear]

Wayland, not X. X has been deprecated.

(My phone runs systemd and wayland. The one before ran upstart and X).

Re:When's sshd getting incorporated?

[fisted]

I would propose backspace at the beginning of the line while in insert mode.

Well, if you prefer pressing two keys over one, have at it. It's not like vim can't do that, so what's your point?

Like every normal editor ever.

We wouldn't need different editors if every editor was the same (by "normal" i assume you mean notepad-style).
Some people just prefer powerful editors. Why is this a problem to you?

Re:When's sshd getting incorporated?

[fisted]

The advantage is you can join more than 2 lines

Right, good point. For some reason it never occured to me to try J in visual mode. Thanks!

Re:When's sshd getting incorporated?

[skids]

May work in vim. Doesn't work on the vi insanely installed as the only editor on some
embedded devices.

I rarely need to "join several lines" and when I do, usually I need to add a space or other
delimiter. Query-replace on newline works great and so do keyboard macros.

Re:When's sshd getting incorporated?

[skids]

It's not a problem if you prefer to subject yourself to vi. Have at it. The problem is its use
as a default editor. Personally I'm an emacs user, but I wouldn't advocate zile
as a default editor either. pico/nano should be used for this, with on-screen help turned on.

Re: When's sshd getting incorporated?

[Brockmire]

Ntp is shit to begin with. It needs a rewrite. Probably the most hassle Linux servers I ran in terms of crashing, needing to add special config, needing to undo required config when upgrade breaks, etc. Well, to be honest, not in the last year, but in the previous year+ before that.

Re: When's sshd getting incorporated?

[NicholFD]

It has a re-write: https://www.ntpsec.org/ NTPSec is sponsored by HP and several other large institutions (banks, governement, etc.)

Re:Blanks Netflix for a userbase edge case

I guess you expected the headline to explain everything to you in full detail and with absolute accuracy, that's a pity.

But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.

i can see it now:

[nimbius]

Lennart: CLOSED. WONTFIX.
Slashdot: ..b-but its a bug!!
Lennart: well yes I see how you could think that but once you use OpenRC it becomes very apparent that this bug disappears and is resolved, so of course, its not a bug.

Re:i can see it now:

[thegarbz]

Actually opened and marked as as a known issue by developers themselves as news long before some idiot user compiled a non-default setup with an experimental library and was SHOCKED! SHOCKED! I tell you, that he found a bug.

So reading between the lines...

[Balial]

"A Gentoo users ... recompiled a component... everything is working OK now".

How is this not working as designed?

The problem is systemd breaking unexpectedly

The real problem here isn't that a handful of Linux users couldn't use Netflix.

The real problem is that, yet again, systemd has been involved in critical functionality breaking in an unusual and unexpected way.

It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.

There's no reason for systemd to be involved with resolving domain names. Linux got by just fine throughout the 1990s, the 2000s, and even a big part of the 2010s without systemd being involved. Yet now that systemd is involved, things are going to hell.

Long time Linux users will be very aware of how problematic systemd so often is in the dumbest of ways.

Maybe somebody who just started using Linux in the systemd era thinks it's acceptable for their system to sometimes not boot properly, or for the domain name resolution to break unexpectedly. But long time Linux users know it wasn't like that before systemd was forced on the Linux community, and they know that such breakage is just not acceptable.

This is just the latest in a long chain of problems involving systemd. It has gotten to the point where Linux's reliability is below that of the BSDs, of macOS, and as much as I hate to say it, even modern versions of Windows!

Systemd needs to go, at least from important distros like Debian and Ubuntu. If Fedora wants to screw around with systemd, then so be it. But the other distros should remove it immediately.

Re:The problem is systemd breaking unexpectedly

[AJWM]

Hear, hear!

Why the hell does an init system need a built-in DNS resolver anyway?

Re:The problem is systemd breaking unexpectedly

[Holi]

Exactly how is this insightful? The parent is going on a rant about systemd when it was libidn2 that had the bug.

Re:The problem is systemd breaking unexpectedly

[squiggleslash]

No, the real problem is that a library, Libidn, that's used by resolver libraries including that apparently shipped with systemd has a bug in it. The library dates back to 2002, it's not even as if systemd was relying upon some bleeding edge library written specifically for it. And yes, it's best practices, when implementing something like international domains to use a respected third party library rather than trying to roll your own, so they haven't made an error in relying upon it.

This has nothing to do with systemd except for the fact the user happened to be using systemd at the time, and systemd happens to use this library. What next? A kernel bug gets blamed on systemd because systemd uses the kernel?

The submitter is trolling.

Re: The problem is systemd breaking unexpectedly

And why the hell is systemd f*cking involved in resolving hostnames in the first place goddammit ?!

Re:The problem is systemd breaking unexpectedly

[dgatwood]

The real problem is that, yet again, systemd has been involved in critical functionality breaking in an unusual and unexpected way.

No, the real problem is that Netflix violated RFC 1034 section 3.5 and RFC 1035 section 2.3.1, which both explicitly say that hostnames must still conform to the old ARPANET restrictions, which allow only letters, numbers, and hyphens. Underscores have never been legal in DNS hostnames, and in spite of the pain this spec-compliant behavior has caused for some users, the systemd behavior is correct, and Netflix needs to fix whatever broken software they have that incorrectly created an invalid hostname containing an underscore.

The remarkable thing, frankly, is that any DNS resolver resolved that address, and more significantly, that the DNS servers actually responded to the request.

Re:The problem is systemd breaking unexpectedly

[skids]

the systemd behavior is correct

Yes, it is. Well. to the extent that systemd being used by the system for DNS resolution is correct, as opposed to using a real DNS resolver. The extra junk in systemd should only be used to bootstrap containers and VMs and should be replaced during boot with real services. And really, systemd and/or its packagers should ship a version without that crap for people not doing VM/container stuff so it doesn't get in their way or pull in unwanted dependencies.

Re:The problem is systemd breaking unexpectedly

[fahrbot-bot]

What next? A kernel bug gets blamed on systemd because systemd uses the kernel?

Wait! Who uses who now? :-)

Sorry, I'm from the future, where there is no kernel, only systemd.

Fun facts, after subsuming the kernel, the last non-systemd user land utility remaining is Emacs. Lennart and his (remaining) crew started the battle to absorb Emacs in 2040, five years before his death, and it's still raging many years after that. There have been casualties on both sides. Lennart died in 2045 when the experimental "systemd-elisp" module controlling his cold, robotic heart turned out to contain sleeper code, rumored to have been committed to GitHub by a radical faction of the FSF. He was found dead at his keyboard late one evening by the hooker he had ordered from Amazon Premiere earlier that day. The police report says he had been watching Trump porn.

Re:The problem is systemd breaking unexpectedly

[zdzichu]

Actually, the bug is not in libidn, but in libidn2. Or rather was – it got fixed rather quickly – https://gitlab.com/libidn/libi...
As for systemd, it uses libidn by default. libidn2 support is marked as experimental – reasonable decision as this bug shows.
The submitted article is pure flamebait - this is not a bug in systemd suite, but in 3rd party library; to experience this (already fixed) bug, distribution would have to have enabled experimental option. No sane distro does that.

Nb. The Register articles with even a passing mentions of systemd are terribly misleading and often blatantly false.

Re:The problem is systemd breaking unexpectedly

>And yes, it's best practices, when implementing something like international domains to use a respected third party library rather than trying to roll your own, so they haven't made an error in relying upon it.

They have made an error in relying upon it. Please, let's not extend consensus-science-bullshit to computer science.

Re:The problem is systemd breaking unexpectedly

Apparently you didn't read the RFCs, which do not say at all that "hostnames" "must" conform to anything. What they both say is that compatibility will be maximized if you use the host name syntax. RFC 2181 is also painfully clear that a DNS owner name may contain any octets at all. There is nothing remarkable about servers responding to such host names: they're supposed to.

Indeed the "underscore name" convention is so important that it is how SRV records even work.

_But_, and this is the key point, such names are not legal LDH names, which is what libidn2 is expecting. LDH names contain only letters, digits, and hyphens, and it's a foolish sysadmin who attempts to use some kinds of names (things that resolve directly to A or AAAA and probably CNAME or maybe DNAME and so on) that do not conform to LDH. This fact is what led IDNA to be invented: there's nothing preventing just looking up UTF-8 names in the DNS except that there's a lot of stuff that will probably break.

And there remains the question of why in the heck systemd is involved in all of this. Systemd is the Windows registry of the Linux world.

Re:The problem is systemd breaking unexpectedly

Great, now Poettering is going to take that as a death threat and write another livejournal about how mean the whole FOSS community is to him.

Re: The problem is systemd breaking unexpectedly

...which is an utterly retarded design.

Unix is a bunch of components by different authors, most with competitors, that use well-defined protocols to communicate. Unix works because stuff that sucks gets replaced, and no one person's vision defines what happens.

Systemd and Windows are defined by one small man's vision, not by protocols and competition. And when that man doesn't think usernames should have certain forms, well, fuck everyone else, right?

Re: The problem is systemd breaking unexpectedly

[Rakarra]

His question was "why is systemd doing that instead of something else?"

Re:The problem is systemd breaking unexpectedly

[DamnOregonian]

It's not quite that clear cut.

RFC 2181 11. Name syntax: The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record. Similarly, any binary string can serve as the value of any record that includes a domain name as some or all of its value (SOA, NS, MX, PTR, CNAME, and any others that may be added). Implementations of the DNS protocols must not place any restrictions on the labels that can be used. In particular, DNS servers must not refuse to serve a zone because it contains labels that might not be acceptable to some DNS client programs. A DNS server may be configurable to issue warnings when loading, or even to refuse to load, a primary zone containing labels that might be considered questionable, however this should not happen by default.

These days, it is up to the client to validate the labels being requested in its own context, but otherwise, anything goes.
The "client" in this instance, has been forced to use a resolver that decides to validate for all clients that may be using it, which is entirely incorrect behavior.

Re:The problem is systemd breaking unexpectedly

[ncc74656]

Exactly how is this insightful? The parent is going on a rant about systemd when it was libidn2 that had the bug.

If systemd hadn't taken it upon itself to handle DNS resolution instead of sticking to its ostensibly primary job (initd), it would never have had reason to pull in libidn2 and fall to one of its bugs.

The Unix Way. systemd fails it.

Re: The problem is systemd breaking unexpectedly

Yeah, as anyone knows before systemd arised we were unable to resolve hostnames, thank you for proving you don't know shit about what you're talking about.

Re:The problem is systemd breaking unexpectedly

[Just+Some+Guy]

And yes, it's best practices

...to write unit and integration tests to catch these kinds of things. If you add libfoo to implement foo functionality, you want to test that it actually results in a working foo.

Re:The problem is systemd breaking unexpectedly

libidn2 would not be on the user's system in the first place; had it not been for systemd. Which is why; when it breaks; systemd is the cause.
This "everything, and the kitchen sink" nature of systemd is the cause. So yes; people are going to rightly point to systemd as the cause when it, and all it's necessary dependencies cause issues.

Re:The problem is systemd breaking unexpectedly

[dwywit]

Thanks for that. It generated a seg fault and dumped garbage all over the screen.

Re:The problem is systemd breaking unexpectedly

[gweihir]

Indeed. This low level or reliability is _not_ acceptable on Linux. And look, it is the same cretins that have broken other things before. Why is this stuff in distros labeled as "stable" again?

Re:The problem is systemd breaking unexpectedly

[gweihir]

You do not get it. Seriously. What counts for reliability is how the tool performs that delivers the service. What it uses for that is under control of the developers. If they select a bad library and fail to include appropriate redundancies in a system-critical tool, then the fault is on their heads.

Re:The problem is systemd breaking unexpectedly

[Lady+Galadriel]

In my opinion, (not that it maters to most), is that SystemD needs to slow down and fix all known existing problems. Make it rock stable.

Then, go back and figure out what SystemD missed for security and reliability. And fix those issues.

Last, plan, (yes, I know, profanity is not supposed to be used here), what features should be added to SystemD next.

In general, Linux, (I use Gentoo on ZFS root without SystemD), should be, and is quite stable and usable as is. No need to change anything, except perhaps fix security issues.

Re:The problem is systemd breaking unexpectedly

[thegarbz]

It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.

Except it didn't. Systemd uses libidn. You need to specifically compile systemd with 2 separate flags in order to force it to use a library that is marked as experimental.

The real problem is users are stupid and other users justify their actions in an echo-chamber because systemd! *froth from mouth*.

Re:The problem is systemd breaking unexpectedly

[thegarbz]

No, the real problem is that a library, Libidn, that's used by resolver libraries including that apparently shipped with systemd

The real real problem is even less severe than that. The bug is in libidn2 not in libidn. Libidn which is what systemd ships with doesn't have the issue. You need to specifically force systemd to use an experimental library that it is not shipped with by default to trigger the bug.

Re: The problem is systemd breaking unexpectedly

[Barsteward]

systemd isn't resolving names, one of its optional extras is doing the resolving i.e systemd-resolved. You should have learnt the difference between systemd and systemd-the-project by now.

Re:The problem is systemd breaking unexpectedly

[Barsteward]

PID1 systemd does not handle DNS, the very optional systemd-resolved does that.

Re:The problem is systemd breaking unexpectedly

[Eunuchswear]

Well, what the fuck, you're right.

The register turn out to be a lying bunch of weasels yet again.

# apt-cache rdepends libidn2-0
libidn2-0
Reverse Depends:
    libpsl5
    libcurl3
    libidn2-0-dev
    libidn2-0-dbg
    idn2
    html-xml-utils
    libcurl3-nss
    libcurl3-gnutls

# apt-cache rdepends libidn11
libidn11
Reverse Depends:
    systemd
    libidn11-dev
    libgnutls30
    gnutls-bin
    whois
    wget
    libvlccore8
    libui-utilcpp9v5
    tgif
    systemd
    python3-slixmpp-lib
    skipfish
    libshishi0
    s-nail
    psi-plus-webkit
    psi-plus
    prosody
    libpurple0
    php-http
    perdition
    mutt
    monotone
    mcabber
    lynx
    libloudmouth1-0
    libpodofo0.9.4
    libpodofo-utils
    libnet-libidn-perl
    certmonger
    idn
    lftp
    kopete
    knot-host
    knot-dnsutils
    kadu
    jabberd2
    jabber-muc
    iputils-tracepath
    iputils-ping
    iputils-arping
    hydra
    libhesiod0
    libghc-network-protocol-xmpp-dev
    libghc-gnuidn-dev
    libgsasl7
    libgnutls30
    gnutls-bin
    gnunet
    libgloox15
    libgs9
    libgetdns1
    getdns-utils
    foxeye
    elinks
    libeiskaltdcpp2.2
    echoping
    dnsmasq-base
    sqwebmail
    courier-mta
    courier-mlm
    courier-imap

Re:The problem is systemd breaking unexpectedly

[Eunuchswear]

libidn2 would not be on the user's system in the first place; had it not been for systemd.

Wrong. libidn2 might be on the users system if they'd installed curl. systemd will only use libidn2 if the user had recompiled systemd with experimental libidn2 support.

Re:The problem is systemd breaking unexpectedly

[Eunuchswear]

What, you mean the stupid default of not using libidn2?

Re: The problem is systemd breaking unexpectedly

[Eunuchswear]

Because those idiots at Netflix have a hostname that starts "ipv6_".

Re:The problem is systemd breaking unexpectedly

[Eunuchswear]

Reading comprehension fail.

1. systemd uses the non-experimental library libidn, which doesn't have the bug, in production code.

2. if you recompile systemd with the experimental option on it uses the experimental library libidn2.

Re:The problem is systemd breaking unexpectedly

[Eunuchswear]

So if I compile your program with a broken library instead of the working one you tested it with and your program does the wrong thing then it's your fault?

Re:The problem is systemd breaking unexpectedly

[ncc74656]

PID1 systemd does not handle DNS, the very optional systemd-resolved does that.

Why is there any component of systemd, optional or not, that has anything to do with DNS? It was pitched as a replacement for init, but it has since metastasized and taken over a bunch of other tasks far beyond its original purpose.

"Do one thing and do it well." systemd fails it.

Re: Hey Poettering

[Zero__Kelvin]

The explanation is that input validation shows that Netflix is using illegal server names, and so this is really a Netflix issue, and is not a problem with systemd at all. In fact systems that access their illegally named servers are the ones with the bug.

trash

[crafoo]

systemd = not-invented-here anti-UNIX botnet trash

Re:Hey Poettering

[Strider-]

Any explanation for this piece of shit problem, asshole?

Because he's technically correct, which is the best kind of correct... The DNS specification expressly prohibits the use of the underscore character in domain names. It's netflix that's at fault here, more than anything else.

Re:Blanks Netflix for a userbase edge case

[DickBreath]

This is not a comment to malign the horros of systemd. Rather, I would like to point out that a significant subset of /. readers DO expect the headline to explain everything so that reading the article becomes unnecessary.

Just sayin'. But you know it's true.

One has to wonder what other subtle bugs are in systemd. Purely unintentionally, of course. No TLAs would want an opportunity to widely disseminate new bugs into vast numbers of systems.

Re:Blanks Netflix for a userbase edge case

[Nkwe]

But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.

I believe the edge case is Netflix viewers running systemd, not just users with systemd. Sure many people view Netflix via Linux, but I doubt it is a significant portion of all Netflix viewers, thus an edge case. Offended by being referred to as an edge case? Perhaps "edge case" is a bit too much troll as the parent post is getting modded, "relatively minor case" may be more accurate.

Any yeah, systemd still sucks, but doesn't warrant sensationalized headlines.

Hey "Everyone's Favorite Init Tool" ?

[what+about]

I assume the poster wanted to be funny, right ?

Or is it one of those "black is white", "up is down" orwellian thing ?

Living in interesting times....

Re:Hey "Everyone's Favorite Init Tool" ?

[Rakarra]

I assume the poster wanted to be funny, right ?

Or is it one of those "black is white", "up is down" orwellian thing ?

Living in interesting times....

It was a dickweed editor trying to be snarky in a article title.

systemd networkmanager also does not do server stu

[Joe_Dragon]

systemd network manager also does not do server stuff to well like bonding / bridging / etc.

Re:Hey Poettering

[thegarbz]

Any explanation for this piece of shit problem, asshole?

Yes. libidn2 is not a default and is marked as experimental and not ready for use. Also libidn2 isn't maintained Poettering.

Now what would interest far more people is, do you have an explanation for being an unbearable cunt?

Yes, it is a bug

[mrsam]

The systemd fan club's response is that underscores are not allowed in DNS, and that this is ultimately a libidn2 bug.

Both of these excuses are claptrap.

Underscores are not valid in hostnames. They are valid in DNS labels.

It is not the DNS resolver's job to translate internationalized domain names. It is the application's job to do so. The DNS resolver's job is to resolve the request. Full stop. Ten year old versions of bind will happily process, and pass on, internationalized domain name. This is because internationalized domain names gets transcoded into ASCII-compatible encoding and THAT's what in DNS.

The way that it should work is as follows: an application, such as a web browser, translates an international domain name into ASCII-encoded hostname, and then looks it up in DNS. It would be the application's responsibility to use libidn2, or some other equivalent, to do the translation.

A typical systemd fail.

Re:Yes, it is a bug

[whoever57]

It's not just that underscores are valid. They are *required* for some uses of DNS. For example DKIM and DMARC records.

Re:Yes, it is a bug

[Strider-]

And the underscore was chosen to effectively put those records in a different namespace than A and AAAA records.

Re:Yes, it is a bug

[Bigon]

I don't understand, if it's not a bug in libidn2, why did they patch it to change the default behavior?

Re:Yes, it is a bug

[Zero__Kelvin]

Nope. A typical idiot fail (you). You can't read and understand the specs. They specifically say that the underscore can be used elsewhere, but not where precluded, for example ... as you point out ... in hostnames. If you read and understand the spec, you will get why you just ranted on and on to prove yourself wrong.

Re:Yes, it is a bug

[mrsam]

It is certainly a bug in libidn2.

But systemd itself using libidn2 to translate DNS lookups is an even bigger bug. It shows a complete lack of understanding of the fundamental function of a DNS resolver.

Re:Yes, it is a bug

[Bigon]

AFAICT, nscd (the glibc DNS cache) is also doing idn conversion right?

Re:Yes, it is a bug

[mrsam]

I am not familiar with nscd, but I doubt it. Something that's a part of glibc is unlikely to have a dependency on an external library.

Looking at Fedora's packaging, the nscd package does not have a required on libidn. Furthermore, like a DNS server itself, a DNS cache has no reason to interpret DNS records in any way. It's just a cache. It receives DNS queries, forwards it, and caches the response. I can't imaging any need to interpret internationalized domain names in any way. Would an HTTP cache need to understand internationalized domain names? Of course not. HTTP, the protocol, itself, has no concept of internationalization. URLs are just ... URLs. Just some opaque blob of characters. Is the same blob of characters already in a cache? Great. If not, make the request yourself, return it, cache the results.

Re:Yes, it is a bug

[Bigon]

The glibc does embed a copy of libidn in the source code and apparently link statically against it: https://sourceware.org/git/?p=... https://sourceware.org/git/?p=...

Re:Yes, it is a bug

[thegarbz]

I don't understand your response. You say it's a systemd fail but then you mention its a libidn2 bug, which is an experimental library not used by systemd.

I mean I get it. A poor user compiled systemd with the experimental libidn2 instead of libidn and was exposed to a bug in the non-systemd library, but because it has systemd in the title we need to defend this poor user against the anarchy that is systemd.

Or maybe experimental libraries are experimental and not shipped by default for a reason. But systemd bashing is fun so don't let facts get in the way.

So let me get this straight

[thegarbz]

A bug was noted in an optional library that wasn't default for any release of systemd.
The following release of systemd downgraded support of the optional unused library libidn2 to experimental.
A pull requested was put in the bug tracker by the maintainer (not Poettering) to fix this in the future.
Some dude compiles a piece of software with an experimental library and ... wait for it, this is the best part ... he notices a bug.

It makes front page news and Slashdot users start frothing from their mouth in their stupor.

And you wonder why complaints aren't taken seriously by developers. *golfclap*

Re:So let me get this straight

[aardvarkjoe]

You missed a step.

* thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.

Re:So let me get this straight

[influenza]

A lot of the noise about systemd is FUD. Blaming systemd is quickly becoming a sign of a poor sysadmin. This DNS issue is a shoot-yourself-in-the-foot bug that you can avoid by not using experimental features. The last uproar about User= was a non-issue as well. If you make a custom service unit and you use the User= directive are you really not going to test that it runs as the correct user?

Re:So let me get this straight

[Zero__Kelvin]

You can look at almost every anti-systemd rant and see the same pattern. Guy who hates either Poettering or having to learn something new refuses to learn anything new, makes ridiculous claims on Slashdot declaring loudly that Linux is now the suxors!, and ends up looking like an idiot. When it is shown that they are wrong, they continue to insist they are right, and invariably bring up Poettering's name as proof that it must suck. It has too, because Poettering!!!!. All developing software products have bugs, and they get fixed when discovered, but this is different, because Poettering!!!!. Can't you see that Linux is the suxors now!!!. You people are a fucking joke.

Re:So let me get this straight

[thegarbz]

* thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.

Oh no I saw that step. But we've filed it with the rest of the bullshit and hyperbole in its rightful place.

Re:So let me get this straight

[Eunuchswear]

thegarbz and the rest of the systemd fan club start pretending that just because this one bug isn't serious, the rest of the problems with systemd and its developers aren't real.

So, care to point out the real problems then?

Re:So let me get this straight

[aardvarkjoe]

Here's a good start for you, takes 5 seconds to google it:

http://without-systemd.org/wiki/index.php/Arguments_against_systemd

Although I'm pretty sure that you're just going to stick your fingers in your ears and pretend harder.

Re:So let me get this straight

[Eunuchswear]

Wow. A list of bugs that have been fixed. Shocking.

Re:So let me get this straight

[aardvarkjoe]

Although I'm pretty sure that you're just going to stick your fingers in your ears and pretend harder.

Called it!

Re:So let me get this straight

[thegarbz]

just another victim of systemd.

Exactly. Hyperbole.

Why in the FUCK

[sexconker]

Why in the FUCK is your init system messing with this type of shit?
What's next? Will you add an email client?

Re:Why in the FUCK

[Bigon]

The init systemd (PID1) is not messing with DNS resolved, and optional component of the systemd ecosystem is

Re: Why in the FUCK

[fisted]

b-but is it IOT-ready?

Re:Blanks Netflix for a userbase edge case

[Highdude702]

People read headlines on Slashdot? I just look at comment numbers and pop in, I really think this crypto currency stuff is getting dangerous. We need more Net Neutrality, because it will fix the problem with congress leaving too many tweets for Kaspersky to hack the elections.. appy apps? O.o

Re:You learn to read, fucktard

[Zero__Kelvin]

Read the rest of it idiot.

Train Wreck

[slack_justyb]

It's abundantly clear that systemd-resolved has quickly become a train wreck. It's inclusion in Ubuntu 16.10 was widely lamented and many folks have pointed out huge concerns for several different assumptions that it makes for fallbacks and erroneous configurations. That's not including the several different bugs that have plagued systemd-resolved thus far. Granted many of them are fixed but with the breakage what have we bought? Something that's a pretty basic task now requiring patch after patch. Additionally, what has this solved? Now we can make DNS configuration a bit easier to integrate across the board?

The bad rep that systemd especially resolved has obtained isn't just simply one where grey breads say "it's too different". It is one that time and time again, ignorant assumptions, bloated egos, and hasty code have led to a general distrust, especially when tools that have always worked are suddenly not working or worse still, become methods for exploits. I still think systemd is a vast improvement over the "ye olde init scripts", but while the idea is commendable, it's execution has been somewhat lack luster to put it mildly. There needs to be a serious "Come to Jesus" moment for the systemd team. You need to build trust if your going to build something that's rewriting the books. This is just another example of how that trust is being chipped away. Complexity of the task at hand aside, either the team is up to delivering or they are not. This ostinato where breakage just keeps happening needs a serious all hands or something to restore trust in the team guiding this project. Poettering, you are doing no favors to yourself nor your team by these stories. Deliver us from the hell of bad init if that's what you seek, but don't plunge us deeper into a different hell of your making and say that it's alright because you're the one who built it.

Re:Train Wreck

Honest question from someone who likes to spectate these discussions on Slashdot...

If systemd is so awful and a step backwards, why has it became the defacto standard in the Linux world? I understand Poettering works for Red Hat, so that explains Fedora, but if if systemd is as bad as the comments on Slashdot would suggest, why have all the other distributions (Debian, Suse, etc) adopted it? One would presume that these are intelligent people who make decisions for intelligent reasons. Is Arch the only distro left without systemd (and those guys who forked Debian)?

Re:Train Wreck

[Hognoxious]

RedHat are the second biggest contributor to Linux, behind Intel. That makes them first among software companies.

Basically, they can shovel shit in quicker than everyone else can take it out.

https://thenewstack.io/contrib...

Re:Train Wreck

[gweihir]

I think the systemd team just cannot hack it. They are too dysfunctional. Systemd needs to die before something that actually improves on the classic solutions will get a chance.

Re:Train Wreck

[thegarbz]

Yo, cool rant. Does it have anything to do with the case here where a user compiled systemd with a non-default experimental 3rd party library which caused the fault? Didn't think so.

+1 funny. Would laugh at your misdirected angry rant again.

Re:Train Wreck

[Eunuchswear]

So, you don't know much about the history of DNS software on unix, do you?

The standard resolver functions are unbelievably shitty, the first major DNS server made the error of conflating caching and authoritative name services and has been one of the longest ongoing security disasters on the net, giving almost any piece of Microsoft software a run for their money...

Re:Train Wreck

[gweihir]

Very much so, yes.

Re:Hey Poettering

[corychristison]

Underscores are not allowed in top level domains names, for example you can't register example_domain.com.

However, in sub-domains they are perfectly legal. For example: my_subdomain.example.com is perfectly valid.

OES/SLES had this issue too

[m0s3m8n]

We were bitten by this a few months ago when Microfocus (Novell)/SLES updated some dns libs. We had been using underscores since, well, forever and it worked file right up to change. It took a while to figure out what had happened. A few record/config changes later and all was well.

Re:Blanks Netflix for a userbase edge case

[HiThere]

Nor does it deserve the title Everyone's favorite init tool

Personally, I read that as sarcasm. I still presume it was intended that way.

systemd & network layer

[unixisc]

Does systemd recognize IPv6? Can that be the issue?

Re:Blanks Netflix for a userbase edge case

[fahrbot-bot]

I would like to point out that a significant subset of /. readers DO expect the headline to explain everything so that reading the article becomes unnecessary.

So the 140 character generation is becoming the (what?) 80 character generation?

In the words of a now (in)famous former, #Sad
[ And the irony of this quip is not lost on me. ]

READ THE FUCKING COMMENT! It addresses that!

it was libidn2 that had the bug.

NO SHIT! Did you even bother to read the comment before replying to it, and before wrongly criticizing it?! OBVIOUSLY NOT! The comment you didn't read, yet still replied to, contained the following:

It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.

By choosing to use this foreign library, the foreign library code effectively becomes part of systemd. If a user invokes systemd to perform some action, but systemd does the wrong thing because it uses a broken library, then it's both the library that's broken and it's systemd that's broken. Systemd can't be excused just because it uses a broken library. It's a problem with systemd as much as it is with the foreign library.

Re:READ THE FUCKING COMMENT! It addresses that!

[Eunuchswear]

By choosing to use this foreign library, the foreign library code effectively becomes part of systemd.

Absolutely. And when we find a bug in libc then it's obviously systemd's fault for using libc. What kind of clown relies on an external library for vital functions.

Not newsworthy

[influenza]

This is the issue on systemd's github. It actually notes that they are aware of this and downgraded support for libidn2 to experimental.

This issue isn't newsworthy. As others have noted in the comments, underscores are not supposed to be in hostnames (they can be in other DNS RRs) and is about a bug in an experimental feature in a release of systemd that is not in any stable distros. People running rolling distros using the latest versions of everything are going to experience bugs. That's not news.

It's getting more and more difficult to respect the anti-systemd arguments when issues this trivial make headlines. Add to this that many of the arguments raised against systemd are disingenuous or plain ignorant.

I have been using systemd-networkd and systemd-resolved on Debian 9 and so far I like it. It's easy and clear to configure, just like using systemd service units. The integration with systemd-nspawn is very handy. And it introduces new features such as domain name routing.

Re:Blanks Netflix for a userbase edge case

There's nothing "sensationalized" about the headline, you simply misunderstood it and took its vagueness (a caveat to brevity) to the x-degree of extrapolation.

Sorry, that's your mistake as the reader.

If you can't parse headlines and get 100% of the information, try reading the article to ease your confusion in the future. It does often help. YMMV.

Re:systemd networkmanager also does not do server

[zdzichu]

This is completely false:
https://www.freedesktop.org/so...

Why do you lie?

Re:You are wrong.

[Strider-]

RFC 2782 talks about SRV records, which are a different beast than A or AAAA records. SRV records deliberately use the underscore character to emphasize that they should not be resolved by the normal DNS resolution libraries. As per the RFC:

An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature.

RFC 2181 talks about other record types (MX, SOA, NS, PTR, CNAME, and so forth), and just says that the DNS server shouldn't prohibit those types of records.

One question...

[TheDarkener]

Do Linux users who use SysVinit encounter this issue?

Re:One question...

[influenza]

No they wouldn't, but neither would most systemd users, as this is part of the optional resolved that works with networkd which desktop users normally wouldn't use. It also only happens in an experimental feature in brand new systemd that is not included in any stable distro.

Re:You learn to read, fucktard

[Zero__Kelvin]

Here you go McFly:

" Note however, that the various applications that make use of DNS data can have restrictions imposed on what particular values are acceptable in their environment. For example, that any binary label can have an MX record does not imply that any binary name can be used as the host part of an e-mail address."

IOW, you cannot have underscores as part of the domain name, and this document doesn't change that fact. (Since, again, you clearly can't understand what you read and need someone to interpret it for you)

Re: Lennart Poettering responds.

[Zero__Kelvin]

No, my Android phone does fucktard; I wasn't in front of a PC at the time. At least you aren't stupid enough to try to contradict what I said. Good for you; I accept your apology.

Re:systemd networkmanager also does not do server

[GlennC]

systemd network manager also does not do server stuff...

[satire_mode = ON]

That's because apparently the systemd crew thinks Linux is only used in laptops and the occasional desktop, but never on a device with more than one network port.

[satire_mode = OFF]

Re: Hey Poettering

[Zero__Kelvin]

If this was a completely different situation, it wouldn't be the same. I couldn't agree with you more. You are a genius.

Re: Hey Poettering

[RavenLrD20k]

Sure...in software there's no one to say that you have to program an elegant way to fail when you have what seems like garbage data coming in...except for the fact that the "garbage" data is really what the endpoint is expecting and other, more user oriented systems, handle without any issue. Systemd is behaving like a damn government bureaucracy that is completely detatched from the way the world works.

Also...as has been brought up several times in this post but has yet to be answered: WHAT THE FUCK IS AN INIT SYSTEM DOING NAME RESOLUTION FOR? There is no sane reason that name resolution should be available at boot time, unless you're doing a network boot; but in that case it's the pxe boot on the network card that's handling it. The system itself has no need for name resolution until the network interface is brought up, which should be well after the init system has confirmed the system is stable and handed off control to the Kernel.

Re:systemd networkmanager also does not do server

[Zero__Kelvin]

Because if he told the truth he would have no ability to complain, of course :^)

Re:Why does an init system need a DNS resolver?

[Zero__Kelvin]

It doesn't, nor do you have to use it with systemd. It is an option.

Re: Hey Poettering

[Zero__Kelvin]

systemd was initially an init system (excuse the pun.) It now affords much more functionality, however this added functionality is optional. That being said, plenty of C and C++ compilers will compile broken source code and, as you call it, "fail elegantly". This does not mean a new compiler that properly adheres to the spec is wrong. It means that the other compilers were broken. This might surprise you, but specifications exist for a reason. You violate them at your own peril. When you do, expect something that happened to give the results you were hoping for now to "suddenly break" later, because the reality is your design was broken the whole time.

Re:Blanks Netflix for a userbase edge case

[Nkwe]

I did read the article, which is how I knew it wasn't about systemd taking down all of Netflix, rather a select group of users who couldn't get to Netflix because they were running a distribution that used systemd in conjunction with a dns resolver library that couldn't deal with underscores (either rightly or wrongly so.)

There are so many articles (here and in other places) that I don't have time to read them all and I have to rely on headlines to help make the cut. Call it "sensationalized" or just call it "click bait", in my opinion the headline was written to imply something bigger than the story was in order to get folks to read it. It was enough to get me to look and my post was my way of complaining. I get that sensational / click bait headlines are now common in other forums, it is sad that it is happening here with the frequency that it does. It is also sad that like other places the editors don't really do much editing.

Re: Blanks Netflix for a userbase edge case

[Brockmire]

I read the headline and thought, "what fucking idiot wrote this nonsensical headline" ? And then started reading and continued to wonder how something written so poorly got posted to /. Then I remembered how shitty the editors are here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I see what you did there

[TeknoHog]

The issue emerged over the weekend

Gentoomen will get the joke. BTW, systemd is not used by default in Gentoo.

This is why .COM does not accept underscore

[marka63]

Back in the 1990's I was asked if .COM and .NET should continue to accept underscore in domain registrations. This was after I added "check-names" to BIND to prevent address and MX records with non-LDH names being accidentally added to zones in contravention of RFC 952 and RFC 1123 (still the current host requirement specification). I pointed out that if underscore was permitted that people would be continually having to explain why address lookups for names like "a.label_with_underscore.com" would not work reliably. The requirements for registration were tightened to only allow LDH.

Enforcing LDH for host names allows us to use prefix labels with underscores without running the risk of colliding with valid host names. It allows software to pick out host names from free form textual contexts. When you mail client automatically creates a link that is what it is doing.

Netflix need to fix their provisioning system. Their use of underscore in a hostname is wrong.

Re:You learn to read, fucktard

[DamnOregonian]

That doesn't says that at all....
It in fact says, "you can have underscores as part of the domain name, but it's possible browsers may not bother to try to resolve it."
You are such a manipulative shit.

Re:You learn to read, fucktard

[Zero__Kelvin]

Nope. The spec specifically says underscores are a good choice elsewhere BECAUSE they are NOT allowed in A and AAAA records.

Re:You learn to read, fucktard

[Zero__Kelvin]

IETF RFC actually, et toi?

Re: Systemd is responsible for the libraries it us

[Brockmire]

Did you read his comment before you replied, motherfucker? He expressly stated why your logic is fucking stupid: "This has nothing to do with systemd except for the fact the user happened to be using systemd at the time, and systemd happens to use this library. What next? A kernel bug gets blamed on systemd because systemd uses the kernel?" And now, as the facts come in, it wasn't even close to systemd's fault as this was experimental and no way default. When you have to go out of your way to bitch like you do, you just weaken your argument as being a whiny little bitch.

Re:Blanks Netflix for a userbase edge case

[Trongy]

systemd-resolved is an optional component of systemd. I run a lot of systems with systemd as init and none of them run systemd-resolved (or systemd-timesyncd for that matter).

Re: Blanks Netflix for a userbase edge case

[corychristison]

64 characters ought to be enough for everyone!

Re:Blanks Netflix for a userbase edge case

[grcumb]

Nor does it deserve the title Everyone's favorite init tool

Personally, I read that as sarcasm. I still presume it was intended that way.

Agreed. It's like Microsoft's famous 'Where do you want to go today?'

I always read that as the first part of a conversation with your evil jailer: "Where do you want to go today? 'Cos this trains going to Hell, with stops in Dis and the Lake of Fire. If you upgrade to First Class, we'll take the pitchfork out of your ass.... and put it somewhere else."

Then Microsoft dropped the slogan. And I kicked ketamine.

Re:Blanks Netflix for a userbase edge case

[Barsteward]

why don't you check to make sure? accuracy is everything.

Re:Systemd is responsible for the libraries it use

[Barsteward]

Your logic only gets used when systemd is involved, any other software that fails because of an external source will not get the same crap, they will defend the software involved and say "xxx is not at fault, its an external xxxx fault".

Re:Blanks Netflix for a userbase edge case

[Eunuchswear]

I believe the edge case is Netflix viewers running systemd,

No, it's Neflix viewers who use systemd-resolved. I use Debian Stretch with systemd and, despite Neflix using illegal hostnames including underscores, it works ok.

Re:Blanks Netflix for a userbase edge case

[Eunuchswear]

Nope, the library with the "bug", libidn2, is a GNU project, not part of systemd.

systemd-resolved which uses it is an optional part of systemd. (By default Debian doesn't use it for example).

And it's debatable whether it's a bug or not -- DNS hostnames are not supposed to include underscores.

trash

[crafoo]

network manager is not-invented-here anti-UNIX botnet trash

ifconfig is stable, works, does everything needed. it did not need a replacement. Expanding it with new functionality if needed should have been the proper path. Not re-writing it with a billion dependencies into a 45% functional pile of trash.

Re:NOTABUG, WONTFIX, RESOLVED

[Eunuchswear]

Which is all true.

NOTABUG -- underscores are illegal
WONTFIX -- the problem was in the experimental libidn2, not in systemd code
RESOLVED -- libidn2 has been fixed.

HTH. HAND.

Re:Hey Poettering

[Eunuchswear]

What kind of record is that? SRV or TXT -- OK. A or AAAA -- nope, try again.

Re: Lennart Poettering responds.

[Eunuchswear]

Nah, your phone doesn't run systemd. It runs the joke android init system.

My phone does run systemd.

Re: Lennart Poettering responds.

[Zero__Kelvin]

You haven't seen my custom ROM repo :^)

Re:Systemd is responsible for the libraries it use

[squiggleslash]

By choosing to use this broken library, the broken library code effectively becomes part of systemd.

But here's a question: Did you even bother to read the comment before replying to it, and before wrongly criticizing it?! OBVIOUSLY NOT! The comment you didn't read, yet still replied to, contained the following:

And yes, it's best practices, when implementing something like international domains to use a respected third party library rather than trying to roll your own, so they haven't made an error in relying upon it.

So, before you go on, perhaps you can tell us why the systemd maintainers were wrong to adopt best practices in this case? Because I could have SWORN, sworn up and down, that the major criticism of systemd by its haters is that the authors insist on rewriting everything.

They haven't in this case. They've done exactly what the haters told them to do. And you're still going to criticize them?

How about just filing a bug ticket with the libidn team, and then shutting the fuck up?

Re: Hey Poettering

[Brockmire]

How is that different? This is the undesirable behaviour you just listed.

Re: This article is a mess

[Brockmire]

Because the editors here couldn't hack it at a high school newspaper. There's no respect for us and they have no integrity, they are click bait assholes.

Re:Blanks Netflix for a userbase edge case

[arglebargle_xiv]

Also, the problem is in libidn2, not systemd. I like to bash systemd as much as the next person, but it's libidn2 that has the problem.

Re:Systemd doing what it does best -- following RF

[Eunuchswear]

Hehehe -- criticism of Netflix for not following RFC's is now seen as trolling on slashdot.