Skip to content

resolved does not answer with NXDOMAIN to local queries when mDNS is disabled #21659

Description

@nl6720

systemd version the issue has been seen with

systemd 249 (249.7-2-arch)

Used distribution

Arch Linux

Linux kernel version used (uname -a)

Linux tortoise 5.15.6-arch2-1 #1 SMP PREEMPT Thu, 02 Dec 2021 15:47:09 +0000 x86_64 GNU/Linux

CPU architecture issue was seen on

x86_64

Expected behaviour you didn't see

With MulticastDNS=no in /etc/systemd/resolved.conf, drill local SOA should have returned NXDOMAIN.

Unexpected behaviour you saw

With MulticastDNS=no in /etc/systemd/resolved.conf, drill local SOA, returned something other than NXDOMAIN.
I got either SERVFAIL, or if the .network file had UseDomains=yes in [DHCPv4] and [IPv6AcceptRA] sections, then I got NOERROR.

This causes a compatibility issue with nss-mdns since, by default, it checks if the "unicast DNS server responds to SOA queries".

According to https://datatracker.ietf.org/doc/html/rfc6762#section-22.1

Caching DNS servers SHOULD recognize these names as special and SHOULD NOT attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve these names. Instead, caching DNS servers SHOULD generate immediate NXDOMAIN responses for all such queries they may receive (from misbehaving name resolver libraries).

There's also a similar issue for LLMNR: #19964.

Steps to reproduce the problem

  1. Set MulticastDNS=no in /etc/systemd/resolved.conf.
  2. Run drill local SOA.

Additional program output to the terminal or log subsystem illustrating the issue

$ drill local SOA
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 44696
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; local.       IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.53
;; WHEN: Tue Dec  7 13:11:17 2021
;; MSG SIZE  rcvd: 23
$ host -t SOA local
Host local not found: 2(SERVFAIL)

If the connection has any search domains (lan and home in my case):

$ drill local SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23812
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;; local.       IN      SOA

;; ANSWER SECTION:
local.  10800   IN      SOA     local. nobody.invalid. 1 3600 1200 604800 10800

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
explanation.invalid.    10800   IN      TXT     "Blocking is mandated by standards, see references on https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml"

;; Query time: 2 msec
;; SERVER: 127.0.0.53
;; WHEN: Tue Dec  7 13:22:18 2021
;; MSG SIZE  rcvd: 239
$ host -t SOA local
local has SOA record local. nobody.invalid. 1 3600 1200 604800 10800

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐛Programming errors, that need preferential fixingresolve

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions