recursor: confusing log about oversized UDP responses

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist

https://www.powerdns.com/

GNU General Public License v2.0

3.63k stars 904 forks source link

recursor: confusing log about oversized UDP responses #9632

Open pspacek opened 3 years ago

pspacek commented 3 years ago

Program: Recursor
Issue type: Bug report

Short description

Oversized UDP responses are logged as "Form Error" which is very confusing when actual packet on the wire is NoError.

Environment

Operating system: Arch Linux
Software version: 4.3.5
Software source: Operating system repository, package powerdns-recursor 4.3.5-1

Steps to reproduce

Set edns-outgoing-bufsize to a small size
Send oversized UDP packet in response to a forwarded query

Expected behaviour

Log message stating that response was oversized.

Actual behaviour

Actual log message about an oversized UDP answer:

Oct 21 12:05:00 [1]   dns-oarc.net: Got 0 answers from (empty) (192.0.2.1), rcode=1 (Form Error), aa=0, in 5ms

Github does not like my ZIP with PCAP, logs and config, so drop me a message if you need them.

Habbie commented 3 years ago

Github does not like my ZIP with PCAP, logs and config, so drop me a message if you need them.

Easy reproduction:

dig txt 1400.v4.big.7bits.nl ->

Oct 21 15:28:12 [3] 1400.v4.big.7bits.nl: Got 0 answers from ns.v4.big.7bits.nl (37.139.13.17), rcode=1 (Form Error), aa=0, in 4ms

omoerbeek commented 3 years ago

This is the spot where the rcode is overwritten and no longer corresponds to the rcode in the header received: in lwres.cc:

  catch(std::exception &mde) {
    if(::arg().mustDo("log-common-errors"))
      g_log<<Logger::Notice<<"Unable to parse packet from remote server "<<ip.toString()<<": "<<mde.what()<<endl;
    lwr->d_rcode = RCode::FormErr;

nathkn commented 3 years ago

We also ran into this issue, where the rcode gets overwritten to FORMERR - however with a bigger impact of the recursor disabling EDNS for the downstream NS due to how it handles FORMERR:

https://github.com/PowerDNS/pdns/blob/1a6d9b1334121df131d77cca1a0ab7169253ac8a/pdns/syncres.cc#L554-L562

So we ended up with EDNS being disabled for the entire forwarding zone due to just a couple records giving back oversized UDP responses. Though maybe that is expected behavior.

Habbie commented 3 years ago

The interaction between 'FORMERR disables EDNS0' and 'oversized responses are handled as FORMERR internally' was certainly not expected or intended! However, the expected behaviour would not help you - it would be 'try every auth in case one does not send garbage', and if all auths send oversized responses (garbage), the end result for your client would still be SERVFAIL. If it happened enough, we might even note the auth as broken for a while, again breaking all domains.

So, please do fix auths sending oversized responses. Do you know what software did that?

nathkn commented 3 years ago

@Habbie ah, that definitely makes sense on how the expected behavior would break things - we're working on figuring out why the auth is sending those oversized results. Thanks!