1745730 – Unable to query TXT records with one or more subdomains when appending the domain to the short name

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1745730 - Unable to query TXT records with one or more subdomains when appending the domain to the short name

Summary: Unable to query TXT records with one or more subdomains when appending the do...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	bind
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Petr Menšík
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-26 18:41 UTC by Lucas Caparelli
Modified:	2020-03-18 14:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-18 14:43:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lucas Caparelli 2019-08-26 18:41:31 UTC

Description of problem:

Unable to query TXT records with one or more subdomains (separate from search domains defined in /etc/resolv.conf) when appending the domain to the short name (for example using the "+search" option with dig or simply by running nslookup).

Querying the FQDN resolves successfully, the issue only surfaces when attempting to resolve via short name.

This issue was initially observed on RHEL 7 after patching bind-utils. As RHEL 7 has entered Maintenance Phase I'm filing the BZ against RHEL 8.

Version-Release number of selected component (if applicable): bind-utils-9.11.4-16.P2.el8.x86_64

How reproducible: easily


Steps to Reproduce:
1. Make sure you have a TXT record with one or more subdomains (apart from the actual zone domain), such as the example below from the "lab.com" zone:

  _test._test        IN      TXT      "HEY, YOU RESOLVED ME WITH A SUBDOMAIN"

2. Make sure /etc/resolv.conf has the correct search domain configured:

  search lab.com

3. Query the record while attempting to append the search domain. Example:

  $ dig TXT +search _test._test 

Actual results:

[root@localhost ~]# dig +search TXT _test._test

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el8 <<>> +search TXT _test._test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2149
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0c4043a29fe88f8bf9baaee15d642624a6b53d929486eeeb (good)
;; QUESTION SECTION:
;_test._test.			IN	TXT

;; AUTHORITY SECTION:
.			10555	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019082601 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Mon Aug 26 14:34:12 EDT 2019
;; MSG SIZE  rcvd: 143

;; Query time: 1 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Mon Aug 26 14:34:12 EDT 2019
;; MSG SIZE  rcvd: 143


Expected results:

The search domain is appended and the query gets resolved.

Additional info:

Please see below results from testing on RHEL 7. It's possible to see the query actually got resolved as expected on an older version of bind-utils:

---------------------------------------------------------------------
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.com
nameserver 192.168.121.83
[root@localhost ~]# rpm -q bind-utils 
bind-utils-9.9.4-73.el7_6.x86_64
[root@localhost ~]# dig +search TXT _test

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> +search TXT _test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33544
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_test.lab.com.			IN	TXT

;; ANSWER SECTION:
_test.lab.com.		86400	IN	TXT	"HEY, YOU RESOLVED ME"

;; AUTHORITY SECTION:
lab.com.		86400	IN	NS	ns.lab.com.

;; ADDITIONAL SECTION:
ns.lab.com.		86400	IN	A	192.168.121.83

;; Query time: 1 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Qui Ago 22 16:23:45 EDT 2019
;; MSG SIZE  rcvd: 108

[root@localhost ~]# dig +search TXT _test._test
;; Query time: 0 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Qui Ago 22 16:23:59 EDT 2019
;; MSG SIZE  rcvd: 40


; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> +search TXT _test._test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41145
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_test._test.lab.com.		IN	TXT

;; ANSWER SECTION:
_test._test.lab.com.	86400	IN	TXT	"HEY, YOU RESOLVED ME WITH A SUBDOMAIN"

;; AUTHORITY SECTION:
lab.com.		86400	IN	NS	ns.lab.com.

;; ADDITIONAL SECTION:
ns.lab.com.		86400	IN	A	192.168.121.83

;; Query time: 1 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Qui Ago 22 16:23:59 EDT 2019
;; MSG SIZE  rcvd: 131

[root@localhost ~]# yum update bind-utils -y
(output omitted)
[root@localhost ~]# rpm -q bind-utils
bind-utils-9.11.4-9.P2.el7.x86_64
[root@localhost ~]# dig +search TXT _test

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +search TXT _test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42989
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_test.lab.com.			IN	TXT

;; ANSWER SECTION:
_test.lab.com.		86400	IN	TXT	"HEY, YOU RESOLVED ME"

;; AUTHORITY SECTION:
lab.com.		86400	IN	NS	ns.lab.com.

;; ADDITIONAL SECTION:
ns.lab.com.		86400	IN	A	192.168.121.83

;; Query time: 0 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Qui Ago 22 16:39:16 EDT 2019
;; MSG SIZE  rcvd: 108

[root@localhost ~]#  dig +search TXT _test._test

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +search TXT _test._test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_test._test.			IN	TXT

;; Query time: 4 msec
;; SERVER: 192.168.121.83#53(192.168.121.83)
;; WHEN: Qui Ago 22 16:39:36 EDT 2019
;; MSG SIZE  rcvd: 40

---------------------------------------------------------------------

Strangely, the response code is SERVFAIL instead of the NXDOMAIN observed on RHEL 8 as client.

Comment 1 rhayden 2019-08-28 16:18:43 UTC

Potentially related bug at https://bugzilla.redhat.com/show_bug.cgi?id=1743572

Discussion on using the "options ndots:3" in /etc/resolv.conf to relax the security stance.

Comment 2 Lucas Caparelli 2019-08-28 16:42:27 UTC

(In reply to rhayden from comment #1)
> Potentially related bug at
> https://bugzilla.redhat.com/show_bug.cgi?id=1743572
> 
> Discussion on using the "options ndots:3" in /etc/resolv.conf to relax the
> security stance.

That works here too. 

I assumed the issue was exclusive to TXT records due to how the issue was observed on the customer's environment, sorry about that. I just tested for an A record and I see the same behavior (the ndots workaround is also good then).

It seems this bug may be actually a duplicate then.

Comment 3 Petr Menšík 2020-03-18 14:43:50 UTC

Would close it as a duplicate. However, this issue would be fixed in RHEL 7, since it originally worked there. But such thing never worked in RHEL 8.

We currently do not have plan to fix it in RHEL8, since upstream considers it a bad habbit to include dots in search directive queries. Search was supposed to search bare name without a dot in current set of domains. It would work well with www or ftp, but not www.subdomain or ldap.division.

General recommendation is to use full absolute anywhere and not to rely on search or domain directives in /etc/resolv.conf. They might be reconfigured by DHCP, which is not secured in any way. Full domains are safer in this mode, because it either resolves or fails. It is not passed to every search domain first or as a final try. We would like to keep it so.

It it is important feature you cannot overcome, feel free to reopen the bug. But please explain how you use it and why full name is not possible to use.

Until that, closing as not a bug.

Note You need to log in before you can comment on or make changes to this bug.