Discussion:
[Dnsmasq-discuss] wrong response code for no SRV record
Rahul Amaram
2010-04-29 11:31:51 UTC
Permalink
Hi,
I think I have found a bug in dnsmasq though I am not sure if this is
the anticipated way it works. In /etc/dnsmasq.conf, it is mentioned:

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

which means when a query for this record is made it is supposed to send
a NXDOMAIN reply but this does not happen.

I am attaching a patch which makes it behave this way. Kindly review it
and let me know if I have misinterpreted something.

Looking forward to an early reply.

Regards,
Rahul.
Simon Kelley
2010-04-30 13:05:13 UTC
Permalink
Post by Rahul Amaram
Hi,
I think I have found a bug in dnsmasq though I am not sure if this is
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
which means when a query for this record is made it is supposed to send
a NXDOMAIN reply but this does not happen.
I am attaching a patch which makes it behave this way. Kindly review it
and let me know if I have misinterpreted something.
Looking forward to an early reply.
I think you have mis-interpreted the way this works. NXDOMAIN means that
there is no data in the DNS for the given domain. That is not what's
happening here. The example line returns a valid SRV record for
_ldap._tcp.example.com which happens to be empty. The "domain" refers to
_ldap._tcp.example.com and not the domain which may be returned as part
of the reply.


Have you encountered real-world problems with the existing behaviour?


Cheers,

Simon.
Rahul Amaram
2010-05-01 09:29:25 UTC
Permalink
Well yes. I have encountered some problems with this. I am using
Kerberos in my company LAN. While performing kinit on my system, the SRV
record for _kerberos-master.udp.EXAMPLE.COM is looked up. Now if an
NXDOMAIN is not returned but instead the default port 1 with empty host
is returned, the kinit command tries to further resolve that empty host
(which I think is replaced with <ROOT> somehow) and this causes a
extereme slowdown of kinit.

I think there should be some configuration option to say that an
NXDOMAIN should be returned for a particular SRV record. This would be
really helpful. What are your thoughts about this?
Post by Simon Kelley
Post by Rahul Amaram
Hi,
I think I have found a bug in dnsmasq though I am not sure if this is
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
which means when a query for this record is made it is supposed to send
a NXDOMAIN reply but this does not happen.
I am attaching a patch which makes it behave this way. Kindly review it
and let me know if I have misinterpreted something.
Looking forward to an early reply.
I think you have mis-interpreted the way this works. NXDOMAIN means that
there is no data in the DNS for the given domain. That is not what's
happening here. The example line returns a valid SRV record for
_ldap._tcp.example.com which happens to be empty. The "domain" refers to
_ldap._tcp.example.com and not the domain which may be returned as part
of the reply.
Have you encountered real-world problems with the existing behaviour?
Cheers,
Simon.
Rahul Amaram
2010-05-02 09:48:38 UTC
Permalink
Hi Simon,
Continuing with my previous discussion, I propose we have a
configuration parameter such as "srv-host-nxdomain" or "nxdomain-hosts"
using which we can force dnsmasq to force to return NXDOMAIN for any
domains that we want to. What do you think?

Regards,
Rahul.
Post by Rahul Amaram
Well yes. I have encountered some problems with this. I am using
Kerberos in my company LAN. While performing kinit on my system, the
SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Now if
an NXDOMAIN is not returned but instead the default port 1 with empty
host is returned, the kinit command tries to further resolve that
empty host (which I think is replaced with <ROOT> somehow) and this
causes a extereme slowdown of kinit.
I think there should be some configuration option to say that an
NXDOMAIN should be returned for a particular SRV record. This would be
really helpful. What are your thoughts about this?
Post by Simon Kelley
Post by Rahul Amaram
Hi,
I think I have found a bug in dnsmasq though I am not sure if this is
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
which means when a query for this record is made it is supposed to send
a NXDOMAIN reply but this does not happen.
I am attaching a patch which makes it behave this way. Kindly review it
and let me know if I have misinterpreted something.
Looking forward to an early reply.
I think you have mis-interpreted the way this works. NXDOMAIN means that
there is no data in the DNS for the given domain. That is not what's
happening here. The example line returns a valid SRV record for
_ldap._tcp.example.com which happens to be empty. The "domain" refers to
_ldap._tcp.example.com and not the domain which may be returned as part
of the reply.
Have you encountered real-world problems with the existing behaviour?
Cheers,
Simon.
/dev/rob0
2010-05-04 08:13:17 UTC
Permalink
[ top-posting fixed ]
Post by Rahul Amaram
Post by Simon Kelley
I think you have mis-interpreted the way this works. NXDOMAIN
means that there is no data in the DNS for the given domain. That
is not what's happening here. The example line returns a valid
SRV record for _ldap._tcp.example.com which happens to be empty.
The "domain" refers to _ldap._tcp.example.com and not the domain
which may be returned as part of the reply.
Have you encountered real-world problems with the existing
behaviour?
Well yes. I have encountered some problems with this. I am using
Kerberos in my company LAN. While performing kinit on my system,
the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up.
Show the dig(1) results to demonstrate this. Is EXAMPLE.COM your
company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in
the form of any RR type, SRV or otherwise?

Show what Kerberos is actually looking up. Is it as you said,
_kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the
documented LDAP example, "_kerberos-master._udp.EXAMPLE.COM"?
Post by Rahul Amaram
Now if an NXDOMAIN is not returned but instead the default port 1
with empty host is returned, the kinit command tries to further
resolve that empty host (which I think is replaced with <ROOT>
somehow) and this causes a extereme slowdown of kinit.
I think there should be some configuration option to say that an
NXDOMAIN should be returned for a particular SRV record. This
would be really helpful. What are your thoughts about this?
Useless. NXDOMAIN, as Simon explained, means that there is no record
of any RR type for the given name. If you want NXDOMAIN, define
yourself as authoritative for any level of the parent domain[s] in
question.
local=/EXAMPLE.COM/
or, if you only want the SRV subdomains:
local=/_tcp.EXAMPLE.COM/
local=/_udp.EXAMPLE.COM/

Then, any name NOT defined under those domains will be NXDOMAIN. I
suspect you have misdiagnosed your original issue.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
Rahul Amaram
2010-05-04 09:59:27 UTC
Permalink
Hi Rob,
Thanks a lot for your response. Please find my responses inline. Btw,
your last suggestion has helped me achieve the desired result though I
still feel it would be great to have dnsmasq return NXDOMAIN only for a
particular domain and forward the remainig domain queries to upstream
servers. For example, dnsmasq should be configurable such that query for
_kerberos-master._udp.example.com is returned as NXDOMAIN where as
queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are
forwarded to upstream server.

Thanks and Regards,
Rahul.
Post by /dev/rob0
Post by Rahul Amaram
Post by Simon Kelley
I think you have mis-interpreted the way this works. NXDOMAIN
means that there is no data in the DNS for the given domain. That
is not what's happening here. The example line returns a valid
SRV record for _ldap._tcp.example.com which happens to be empty.
The "domain" refers to _ldap._tcp.example.com and not the domain
which may be returned as part of the reply.
Have you encountered real-world problems with the existing
behaviour?
Well yes. I have encountered some problems with this. I am using
Kerberos in my company LAN. While performing kinit on my system,
the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up.
Show the dig(1) results to demonstrate this.
# dig +short _kerberos-master._udp.example.com SRV [Request forwarded
to upstream server]
# echo 'srv-host=_kerberos-master._udp.example.com' >> /etc/dnsmasq.conf
# /etc/init.d/dnsmasq restart
Restarting DNS forwarder and DHCP server: dnsmasq.
# dig +short _kerberos-master._udp.example.com SRV
0 0 1 . [Response from dnsmasq. I want this response to be NXDOMAIN)
#
Post by /dev/rob0
Is EXAMPLE.COM your
company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in
the form of any RR type, SRV or otherwise?
EXAMPLE.COM is the kerberos realm. I could even have SYNOVEL.COM as the
realm.
Post by /dev/rob0
Show what Kerberos is actually looking up. Is it as you said,
_kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the
documented LDAP example, "_kerberos-master._udp.EXAMPLE.COM"?
I do not understand the difference. If the kerberos realm is
"EXAMPLE.COM" it looks up "_kerberos-master._udp.example.com". If the
kerberos realm is "SYNOVEL.COM", it looks up
"_kerberos-master._udp.synovel.com".
Post by /dev/rob0
Post by Rahul Amaram
Now if an NXDOMAIN is not returned but instead the default port 1
with empty host is returned, the kinit command tries to further
resolve that empty host (which I think is replaced with<ROOT>
somehow) and this causes a extereme slowdown of kinit.
I think there should be some configuration option to say that an
NXDOMAIN should be returned for a particular SRV record. This
would be really helpful. What are your thoughts about this?
Useless. NXDOMAIN, as Simon explained, means that there is no record
of any RR type for the given name. If you want NXDOMAIN, define
yourself as authoritative for any level of the parent domain[s] in
question.
local=/EXAMPLE.COM/
local=/_tcp.EXAMPLE.COM/
local=/_udp.EXAMPLE.COM/
Then, any name NOT defined under those domains will be NXDOMAIN. I
suspect you have misdiagnosed your original issue.
Thanks. This solution works perfectly. I have added
"local=/_tcp.EXAMPLE.COM/" to dnsmasq.conf and now I am able to get the
desired result.
/dev/rob0
2010-05-04 15:47:37 UTC
Permalink
Post by Rahul Amaram
Thanks a lot for your response. Please find my responses inline.
Btw, your last suggestion has helped me achieve the desired result
That's good, glad to hear it.
Post by Rahul Amaram
though I still feel it would be great to have dnsmasq return
NXDOMAIN only for a particular domain and forward the remainig
domain queries to upstream servers. For example, dnsmasq should be
configurable such that query for _kerberos-master._udp.example.com
is returned as NXDOMAIN where as queries for
_kerberos._udp.example.com and _kpasswd._udp.example.com are
forwarded to upstream server.
Something like
address=/_kerberos-master._udp.example.com/nxdomain

Actually I think this would work, but I'm not able to try it now:
local=/_kerberos-master._udp.example.com/
With no listings in /etc/hosts that should return NXDOMAIN, not
consulting upstream servers.
Post by Rahul Amaram
Post by /dev/rob0
Show what Kerberos is actually looking up. Is it as you said,
_kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the
documented LDAP example, "_kerberos-master._udp.EXAMPLE.COM"?
I do not understand the difference. If the kerberos realm is
The difference is the leading underscore on the second segment,
"._udp." versus ".udp."
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
Rahul Amaram
2010-05-04 18:36:30 UTC
Permalink
Hi Rob,

local=/_kerberos-master._udp.example.com/

works like a charm. Really appreciate all the help.

Thanks and Regards,
Rahul.
Post by /dev/rob0
Post by Rahul Amaram
Thanks a lot for your response. Please find my responses inline.
Btw, your last suggestion has helped me achieve the desired result
That's good, glad to hear it.
Post by Rahul Amaram
though I still feel it would be great to have dnsmasq return
NXDOMAIN only for a particular domain and forward the remainig
domain queries to upstream servers. For example, dnsmasq should be
configurable such that query for _kerberos-master._udp.example.com
is returned as NXDOMAIN where as queries for
_kerberos._udp.example.com and _kpasswd._udp.example.com are
forwarded to upstream server.
Something like
address=/_kerberos-master._udp.example.com/nxdomain
local=/_kerberos-master._udp.example.com/
With no listings in /etc/hosts that should return NXDOMAIN, not
consulting upstream servers.
Post by Rahul Amaram
Post by /dev/rob0
Show what Kerberos is actually looking up. Is it as you said,
_kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the
documented LDAP example, "_kerberos-master._udp.EXAMPLE.COM"?
I do not understand the difference. If the kerberos realm is
The difference is the leading underscore on the second segment,
"._udp." versus ".udp."
Continue reading on narkive:
Search results for '[Dnsmasq-discuss] wrong response code for no SRV record' (Questions and Answers)
262
replies
In what ways do businesses distinguish themselves from others to be more successful?
started 2008-09-09 14:56:30 UTC
small business
Loading...