Due to a bug in its name canonicalization mechanism, the Resolv DNS resolver was not able to perform simple lookup operations when the value of the "ndots" option in the resolv.conf file was greater than 1. This could lead to a variety of failures in users' configuration management system, such as the Puppet management tool, and in their provisioning system. This update fixes the canonicalization, which allows Resolv to perform lookups correctly and prevents the described problems.
Description of problem:
Rubys resolver (/usr/lib/ruby/1.8/resolv.rb) attempts to implement name canonicalization similar to the system resolver.
It's implementation prevents simple lookups when ndots is set greater than 1 (the default).
For example, with this resolv.conf:
nameserver 192.168.1.1
nameserver 192.168.1.2
options ndots:2
search a.example.com b.example.com example.com
This script raises an Resolv::ResolvError exception:
#!/usr/bin/ruby
require 'resolv'
p Resolv.getaddress('google.com')
Ruby's resolver parses /etc/resolv.conf extracting nameservers, search domains, and the ndots option.
When you attempt to resolv a name (which does not include a trailing "." indicating it is already fully qualified) it determines the number of dots in the name, and if there number of dots in the name is less than the ndots option, it attempts canonicalization.
This is correct behavior, but the canonicalization mechanism is where the problem lies. In the above example, it performs three lookups: google.com.a.example.com, google.com.b.example.com, and google.com.example.com.
The linux resolver would do the same, and then fail back to google.com. if canonicalization fails. The issue is in /usr/lib/ruby/1.8/resolv.rb. The following patch makes ruby's resolver behave the same way as the system resolver:
--- /usr/lib/ruby/1.8/resolv.rb 2010-12-22 22:22:57.000000000 -0500
+++ resolv.rb 2014-08-20 18:50:05.653882000 -0400
@@ -945,6 +945,10 @@
candidates = []
end
candidates.concat(@search.map {|domain| Name.new(name.to_a + domain)})
+ fname = Name.create("#{name}.")
+ if !candidates.include?(fname)
+ candidates << fname
+ end
end
return candidates
end
It looks like the same bug exists in the upstream stable ruby 2.1.2.
This issue causes the client see failures in their configuration management system (puppet) and home-grown host provisioning system.
Version-Release number of selected component (if applicable):
All (RHEL versions as well as upstream). Tested on ruby and ruby200 in RHEL6 and Ruby 2.x in fedora.
Hi Frank,
Thank you for the bug report and attached patch. However, I am afraid I can't accept your patch unless it is upstreamed first, since it would result in different behavior of Ruby resolver on Fedora/RHEL then on other platforms. Therefore I opened upstream ticket:
https://bugs.ruby-lang.org/issues/10412
Lets see what upstream thinks about your patch.
Description of problem: Rubys resolver (/usr/lib/ruby/1.8/resolv.rb) attempts to implement name canonicalization similar to the system resolver. It's implementation prevents simple lookups when ndots is set greater than 1 (the default). For example, with this resolv.conf: nameserver 192.168.1.1 nameserver 192.168.1.2 options ndots:2 search a.example.com b.example.com example.com This script raises an Resolv::ResolvError exception: #!/usr/bin/ruby require 'resolv' p Resolv.getaddress('google.com') Ruby's resolver parses /etc/resolv.conf extracting nameservers, search domains, and the ndots option. When you attempt to resolv a name (which does not include a trailing "." indicating it is already fully qualified) it determines the number of dots in the name, and if there number of dots in the name is less than the ndots option, it attempts canonicalization. This is correct behavior, but the canonicalization mechanism is where the problem lies. In the above example, it performs three lookups: google.com.a.example.com, google.com.b.example.com, and google.com.example.com. The linux resolver would do the same, and then fail back to google.com. if canonicalization fails. The issue is in /usr/lib/ruby/1.8/resolv.rb. The following patch makes ruby's resolver behave the same way as the system resolver: --- /usr/lib/ruby/1.8/resolv.rb 2010-12-22 22:22:57.000000000 -0500 +++ resolv.rb 2014-08-20 18:50:05.653882000 -0400 @@ -945,6 +945,10 @@ candidates = [] end candidates.concat(@search.map {|domain| Name.new(name.to_a + domain)}) + fname = Name.create("#{name}.") + if !candidates.include?(fname) + candidates << fname + end end return candidates end It looks like the same bug exists in the upstream stable ruby 2.1.2. This issue causes the client see failures in their configuration management system (puppet) and home-grown host provisioning system. Version-Release number of selected component (if applicable): All (RHEL versions as well as upstream). Tested on ruby and ruby200 in RHEL6 and Ruby 2.x in fedora.