DNS Lib Underscore Bug Bites Everyone's Favorite Init Tool, Blanks Netflix

Reader OneHundredAndTen writes and shares a report: Systemd doing what it does best. From a report on The Register: A few Penguinistas spent a weekend working out why they can't get through to Netflix from their Linux machines, because when they tried, their DNS lookups failed. The issue emerged over the weekend, when Gentoo user Dennis Schridde submitted a bug report to the Systemd project. Essentially, he described a failure within systemd-resolve, a Systemd component that turns human-readable domain names into IP addresses for software, like web browsers, to connect to. The Systemd resolver couldn't look up Netflix's servers for Schridde's web browser, according to the report. In his detailed post, Schridde said he expected this to happen: ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net gets resolved to 37.77.187.142 or 2a00:86c0:5:5::142. When in reality, that wasn't happening, so Netflix couldn't be reached on his box. His speculation that libidn2, which adds internationalised domain names support to the resolver, was at fault turned out to be accurate. Rebuilding Systemd without that library cleared the problem.

Not a bug

[arth1]

Underscores are not allowed in domain names. Some resolvers allow them for historical reasons, because they were common in Microsoft environments that defaulted to converting a space to an underscore when entering the hostname on initial configuration, back when Microsoft thought that everybody would be using Microsoft Network and not Internet.

But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

libidn (internationalized domain names, punycode) do not use them either, and if it rejects them, all the better.

Re:Not a bug

[aardvarkjoe]

But they're not legal, and should NOT resolve. My DNS servers do not have the ancient msdos compatibility turned on, and reject them as they should.

Although apparently the behavior that it has is to strip out the offending characters and then try to resolve the result, which doesn't make a whole lot of sense either.

From the bug, it looks like the problem is caused by linking with libidn2, and support for that was marked as "experimental" in systemd, so this really doesn't matter much. You shouldn't be enabling experimental features in software unless you're willing to deal with potential problems.

Re:Not a bug

[arth1]

Don't expect the hostname to match functionality. One of the companies I have to download patches from every now and then have their ftp server named wwwonly.

That said, and back to topic, underscores can be used in DNS, but not for hostnames, only for other services. Hostnames are restricted by rfc1123. So if it returned an SRV record or similar, it would be fine.
But don't name a host with an underscore.

Re:Not a bug

[slack_justyb]

Underscores are not allowed in domain names.

That has not been the case and is not the case currently. RFC 2181 dictates differently and more specifically section 11 of said RFC.

Re: Not a bug

[Zero__Kelvin]

It says no such thing. Learn to read.

Re:Not a bug

[someone1234]

The problem is, Poettering doesn't subscribe to Netflix. If he did, this problem wouldn't have happened :D

Re: Not a bug

[fred911]

But once it's published, it's pretty much ratified. Here's the mess https://www.ietf.org/rfc/rfc31...

Re: Not a bug

[slack_justyb]

I don't know who the AC person was that decided to go full on retard there is, but it's just simple misunderstanding on my part. You are correct in that hostnames cannot have underscore. I'll leave this here for all the other parts of DNS that do allow underscore. That said, my confusion was taking sub-domain and mixing it with hostname. Honest mistake on my part.

Re:Not a bug

[influenza]

rfc2782 is about SRV resource records. We're talking about A and AAAA resource records.

Re:Not a bug

[dgatwood]

Disallowing underscores violates RFC2782.

Nope. You misread it. That RFC says:

An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature.

Which is to say that legal DNS labels may not include underscores. They are exclusively allowed for non-hostname types, such as service records, and they specifically chose that character for this use to ensure that it cannot conflict with any legal DNS name.

Re:Not a bug

[serviscope_minor]

The problem is, Poettering doesn't subscribe to Netflix.

I'll bet because he couldn't get the sound to work.

Re: Not a bug

[DamnOregonian]

That is in fact not the issue. The issue is that libidn2 has STD3 rules in effect by default, in the way that systemd is using it.
STD3 rule applicability is contentious for this *very reason*
You, the link you provided, and Internet Explorer all agree that you shouldn't use underscores for labels unless they're a specific kind of label. You all conform to the STD3 rules for "host names"
The rest of the internet does not, and conforms to the RFC2181 reading which says, "labels are whatever the hell the client wants them to be, and the proper behavior for a server is to pass them along unmolested."

swalker@swalker-samtop:~$ idn --usestd3asciirules ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net
idn: idna_to_ascii_4z: Non-digit/letter/hyphen in input

swalker@swalker-samtop:~$ idn -a ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net
ipv6_1-cxl0-c088.1.lhr004.ix.nflxvideo.net

This is a matter of IDNA/Punycode behavior and default changes between transitional/non-transitional specs and a million other very hotly debated items governing the internationalization of domain names.

Those restrictions aside, any binary string whatever can be used as the label of any resource record. Is in fact the issue here, as the RFC it is sourced from again, in no uncertain terms, specifies the behavior of DNS labels. The client should determine what is valid. Netflix is the client in this instance. It's having libidn2's IDNA STD3 rule default imposed upon it, which is bad netizen behavior for whoever made that decision, again, clearly outlined in the above mentioned RFC.

IDNA UseSTD3ASCIIRules flag (default off)

Re:Blanks Netflix for a userbase edge case

I guess you expected the headline to explain everything to you in full detail and with absolute accuracy, that's a pity.

But users with systemd is NOT an 'edge case' really. In fact it's becoming more like users WITHOUT systemd would be the edge cases, within *nix.

So reading between the lines...

[Balial]

"A Gentoo users ... recompiled a component... everything is working OK now".

How is this not working as designed?

The problem is systemd breaking unexpectedly

The real problem here isn't that a handful of Linux users couldn't use Netflix.

The real problem is that, yet again, systemd has been involved in critical functionality breaking in an unusual and unexpected way.

It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.

There's no reason for systemd to be involved with resolving domain names. Linux got by just fine throughout the 1990s, the 2000s, and even a big part of the 2010s without systemd being involved. Yet now that systemd is involved, things are going to hell.

Long time Linux users will be very aware of how problematic systemd so often is in the dumbest of ways.

Maybe somebody who just started using Linux in the systemd era thinks it's acceptable for their system to sometimes not boot properly, or for the domain name resolution to break unexpectedly. But long time Linux users know it wasn't like that before systemd was forced on the Linux community, and they know that such breakage is just not acceptable.

This is just the latest in a long chain of problems involving systemd. It has gotten to the point where Linux's reliability is below that of the BSDs, of macOS, and as much as I hate to say it, even modern versions of Windows!

Systemd needs to go, at least from important distros like Debian and Ubuntu. If Fedora wants to screw around with systemd, then so be it. But the other distros should remove it immediately.

Re:The problem is systemd breaking unexpectedly

[AJWM]

Hear, hear!

Why the hell does an init system need a built-in DNS resolver anyway?

Re:The problem is systemd breaking unexpectedly

[Holi]

Exactly how is this insightful? The parent is going on a rant about systemd when it was libidn2 that had the bug.

Re:The problem is systemd breaking unexpectedly

[squiggleslash]

No, the real problem is that a library, Libidn, that's used by resolver libraries including that apparently shipped with systemd has a bug in it. The library dates back to 2002, it's not even as if systemd was relying upon some bleeding edge library written specifically for it. And yes, it's best practices, when implementing something like international domains to use a respected third party library rather than trying to roll your own, so they haven't made an error in relying upon it.

This has nothing to do with systemd except for the fact the user happened to be using systemd at the time, and systemd happens to use this library. What next? A kernel bug gets blamed on systemd because systemd uses the kernel?

The submitter is trolling.

Re:The problem is systemd breaking unexpectedly

[dgatwood]

The real problem is that, yet again, systemd has been involved in critical functionality breaking in an unusual and unexpected way.

No, the real problem is that Netflix violated RFC 1034 section 3.5 and RFC 1035 section 2.3.1, which both explicitly say that hostnames must still conform to the old ARPANET restrictions, which allow only letters, numbers, and hyphens. Underscores have never been legal in DNS hostnames, and in spite of the pain this spec-compliant behavior has caused for some users, the systemd behavior is correct, and Netflix needs to fix whatever broken software they have that incorrectly created an invalid hostname containing an underscore.

The remarkable thing, frankly, is that any DNS resolver resolved that address, and more significantly, that the DNS servers actually responded to the request.

Re:The problem is systemd breaking unexpectedly

[fahrbot-bot]

What next? A kernel bug gets blamed on systemd because systemd uses the kernel?

Wait! Who uses who now? :-)

Sorry, I'm from the future, where there is no kernel, only systemd.

Fun facts, after subsuming the kernel, the last non-systemd user land utility remaining is Emacs. Lennart and his (remaining) crew started the battle to absorb Emacs in 2040, five years before his death, and it's still raging many years after that. There have been casualties on both sides. Lennart died in 2045 when the experimental "systemd-elisp" module controlling his cold, robotic heart turned out to contain sleeper code, rumored to have been committed to GitHub by a radical faction of the FSF. He was found dead at his keyboard late one evening by the hooker he had ordered from Amazon Premiere earlier that day. The police report says he had been watching Trump porn.

Re:The problem is systemd breaking unexpectedly

[zdzichu]

Actually, the bug is not in libidn, but in libidn2. Or rather was – it got fixed rather quickly – https://gitlab.com/libidn/libi...
As for systemd, it uses libidn by default. libidn2 support is marked as experimental – reasonable decision as this bug shows.
The submitted article is pure flamebait - this is not a bug in systemd suite, but in 3rd party library; to experience this (already fixed) bug, distribution would have to have enabled experimental option. No sane distro does that.

Nb. The Register articles with even a passing mentions of systemd are terribly misleading and often blatantly false.

Re:The problem is systemd breaking unexpectedly

Apparently you didn't read the RFCs, which do not say at all that "hostnames" "must" conform to anything. What they both say is that compatibility will be maximized if you use the host name syntax. RFC 2181 is also painfully clear that a DNS owner name may contain any octets at all. There is nothing remarkable about servers responding to such host names: they're supposed to.

Indeed the "underscore name" convention is so important that it is how SRV records even work.

_But_, and this is the key point, such names are not legal LDH names, which is what libidn2 is expecting. LDH names contain only letters, digits, and hyphens, and it's a foolish sysadmin who attempts to use some kinds of names (things that resolve directly to A or AAAA and probably CNAME or maybe DNAME and so on) that do not conform to LDH. This fact is what led IDNA to be invented: there's nothing preventing just looking up UTF-8 names in the DNS except that there's a lot of stuff that will probably break.

And there remains the question of why in the heck systemd is involved in all of this. Systemd is the Windows registry of the Linux world.

Re:The problem is systemd breaking unexpectedly

Great, now Poettering is going to take that as a death threat and write another livejournal about how mean the whole FOSS community is to him.

Re: The problem is systemd breaking unexpectedly

...which is an utterly retarded design.

Unix is a bunch of components by different authors, most with competitors, that use well-defined protocols to communicate. Unix works because stuff that sucks gets replaced, and no one person's vision defines what happens.

Systemd and Windows are defined by one small man's vision, not by protocols and competition. And when that man doesn't think usernames should have certain forms, well, fuck everyone else, right?

Re: The problem is systemd breaking unexpectedly

[Rakarra]

His question was "why is systemd doing that instead of something else?"

Re:The problem is systemd breaking unexpectedly

[DamnOregonian]

It's not quite that clear cut.

RFC 2181 11. Name syntax: The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record. Similarly, any binary string can serve as the value of any record that includes a domain name as some or all of its value (SOA, NS, MX, PTR, CNAME, and any others that may be added). Implementations of the DNS protocols must not place any restrictions on the labels that can be used. In particular, DNS servers must not refuse to serve a zone because it contains labels that might not be acceptable to some DNS client programs. A DNS server may be configurable to issue warnings when loading, or even to refuse to load, a primary zone containing labels that might be considered questionable, however this should not happen by default.

These days, it is up to the client to validate the labels being requested in its own context, but otherwise, anything goes.
The "client" in this instance, has been forced to use a resolver that decides to validate for all clients that may be using it, which is entirely incorrect behavior.

Re: Hey Poettering

[Zero__Kelvin]

The explanation is that input validation shows that Netflix is using illegal server names, and so this is really a Netflix issue, and is not a problem with systemd at all. In fact systems that access their illegally named servers are the ones with the bug.

trash

[crafoo]

systemd = not-invented-here anti-UNIX botnet trash

Re:Hey Poettering

[Strider-]

Any explanation for this piece of shit problem, asshole?

Because he's technically correct, which is the best kind of correct... The DNS specification expressly prohibits the use of the underscore character in domain names. It's netflix that's at fault here, more than anything else.

Re:Hey Poettering

[thegarbz]

Any explanation for this piece of shit problem, asshole?

Yes. libidn2 is not a default and is marked as experimental and not ready for use. Also libidn2 isn't maintained Poettering.

Now what would interest far more people is, do you have an explanation for being an unbearable cunt?

Yes, it is a bug

[mrsam]

The systemd fan club's response is that underscores are not allowed in DNS, and that this is ultimately a libidn2 bug.

Both of these excuses are claptrap.

Underscores are not valid in hostnames. They are valid in DNS labels.

It is not the DNS resolver's job to translate internationalized domain names. It is the application's job to do so. The DNS resolver's job is to resolve the request. Full stop. Ten year old versions of bind will happily process, and pass on, internationalized domain name. This is because internationalized domain names gets transcoded into ASCII-compatible encoding and THAT's what in DNS.

The way that it should work is as follows: an application, such as a web browser, translates an international domain name into ASCII-encoded hostname, and then looks it up in DNS. It would be the application's responsibility to use libidn2, or some other equivalent, to do the translation.

A typical systemd fail.

So let me get this straight

[thegarbz]

A bug was noted in an optional library that wasn't default for any release of systemd.
The following release of systemd downgraded support of the optional unused library libidn2 to experimental.
A pull requested was put in the bug tracker by the maintainer (not Poettering) to fix this in the future.
Some dude compiles a piece of software with an experimental library and ... wait for it, this is the best part ... he notices a bug.

It makes front page news and Slashdot users start frothing from their mouth in their stupor.

And you wonder why complaints aren't taken seriously by developers. *golfclap*

Re:Blanks Netflix for a userbase edge case

[Highdude702]

People read headlines on Slashdot? I just look at comment numbers and pop in, I really think this crypto currency stuff is getting dangerous. We need more Net Neutrality, because it will fix the problem with congress leaving too many tweets for Kaspersky to hack the elections.. appy apps? O.o

Train Wreck

[slack_justyb]

It's abundantly clear that systemd-resolved has quickly become a train wreck. It's inclusion in Ubuntu 16.10 was widely lamented and many folks have pointed out huge concerns for several different assumptions that it makes for fallbacks and erroneous configurations. That's not including the several different bugs that have plagued systemd-resolved thus far. Granted many of them are fixed but with the breakage what have we bought? Something that's a pretty basic task now requiring patch after patch. Additionally, what has this solved? Now we can make DNS configuration a bit easier to integrate across the board?

The bad rep that systemd especially resolved has obtained isn't just simply one where grey breads say "it's too different". It is one that time and time again, ignorant assumptions, bloated egos, and hasty code have led to a general distrust, especially when tools that have always worked are suddenly not working or worse still, become methods for exploits. I still think systemd is a vast improvement over the "ye olde init scripts", but while the idea is commendable, it's execution has been somewhat lack luster to put it mildly. There needs to be a serious "Come to Jesus" moment for the systemd team. You need to build trust if your going to build something that's rewriting the books. This is just another example of how that trust is being chipped away. Complexity of the task at hand aside, either the team is up to delivering or they are not. This ostinato where breakage just keeps happening needs a serious all hands or something to restore trust in the team guiding this project. Poettering, you are doing no favors to yourself nor your team by these stories. Deliver us from the hell of bad init if that's what you seek, but don't plunge us deeper into a different hell of your making and say that it's alright because you're the one who built it.

Re:Train Wreck

[Hognoxious]

RedHat are the second biggest contributor to Linux, behind Intel. That makes them first among software companies.

Basically, they can shovel shit in quicker than everyone else can take it out.

https://thenewstack.io/contrib...

Re:Hey Poettering

[corychristison]

Underscores are not allowed in top level domains names, for example you can't register example_domain.com.

However, in sub-domains they are perfectly legal. For example: my_subdomain.example.com is perfectly valid.

READ THE FUCKING COMMENT! It addresses that!

it was libidn2 that had the bug.

NO SHIT! Did you even bother to read the comment before replying to it, and before wrongly criticizing it?! OBVIOUSLY NOT! The comment you didn't read, yet still replied to, contained the following:

It doesn't matter if it was an external library that systemd used that's responsible. Systemd is responsible for the problem because it uses this flawed library.

By choosing to use this foreign library, the foreign library code effectively becomes part of systemd. If a user invokes systemd to perform some action, but systemd does the wrong thing because it uses a broken library, then it's both the library that's broken and it's systemd that's broken. Systemd can't be excused just because it uses a broken library. It's a problem with systemd as much as it is with the foreign library.

Re:READ THE FUCKING COMMENT! It addresses that!

[Eunuchswear]

By choosing to use this foreign library, the foreign library code effectively becomes part of systemd.

Absolutely. And when we find a bug in libc then it's obviously systemd's fault for using libc. What kind of clown relies on an external library for vital functions.

Not newsworthy

[influenza]

This is the issue on systemd's github. It actually notes that they are aware of this and downgraded support for libidn2 to experimental.

This issue isn't newsworthy. As others have noted in the comments, underscores are not supposed to be in hostnames (they can be in other DNS RRs) and is about a bug in an experimental feature in a release of systemd that is not in any stable distros. People running rolling distros using the latest versions of everything are going to experience bugs. That's not news.

It's getting more and more difficult to respect the anti-systemd arguments when issues this trivial make headlines. Add to this that many of the arguments raised against systemd are disingenuous or plain ignorant.

I have been using systemd-networkd and systemd-resolved on Debian 9 and so far I like it. It's easy and clear to configure, just like using systemd service units. The integration with systemd-nspawn is very handy. And it introduces new features such as domain name routing.

Re:You are wrong.

[Strider-]

RFC 2782 talks about SRV records, which are a different beast than A or AAAA records. SRV records deliberately use the underscore character to emphasize that they should not be resolved by the normal DNS resolution libraries. As per the RFC:

An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature.

RFC 2181 talks about other record types (MX, SOA, NS, PTR, CNAME, and so forth), and just says that the DNS server shouldn't prohibit those types of records.

Re: Blanks Netflix for a userbase edge case

[Brockmire]

I read the headline and thought, "what fucking idiot wrote this nonsensical headline" ? And then started reading and continued to wonder how something written so poorly got posted to /. Then I remembered how shitty the editors are here.

Re: When's sshd getting incorporated?

[lordlod]

About a year ago I was joking that they would reimplement ntp any day now. Then I discovered systemd-timesyncd.