1949670 – systemd-resolved CNAME loop detection too strict; prevents site function

Bug 1949670 - systemd-resolved CNAME loop detection too strict; prevents site function

Summary: systemd-resolved CNAME loop detection too strict; prevents site function

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1950166 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-14 18:42 UTC by Cory Bell
Modified:	2021-05-27 01:04 UTC (History)
CC List:	12 users (show)
Fixed In Version:	systemd-246.14-1.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-27 01:04:28 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Cory Bell 2021-04-14 18:42:23 UTC

Description of problem:
resolved < v248 apparently decides that if a lookup chain includes more than 8 CNAMEs, there must be a loop and fails the lookup. This causes at least one major website (LinkedIn.com) to fail to load in my location, as their static content edge servers have nine chained CNAME records before the A records.

Version-Release number of selected component (if applicable):
Experienced in Fedora 33 using systemd-246.13-1.fc33.x86_64

How reproducible:
100% in my location (edge content servers may vary by geography/ISP/etc)

Steps to Reproduce:
1. Query static-exp1.licdn.com with dig or resolvectl
resolvectl query static-exp1.licdn.com
dig -t A static-exp1.licdn.com (using default config with local stub resolver)

2. Compare results to querying an upstream nameserver
dig -t A static-exp1.licdn.com @8.8.8.8

Actual results:
resolvectl returns an error like:
static-exp1.licdn.com: resolve call failed: CNAME loop detected, or CNAME resolving disabled on '<REDACTED>.trafficmanager.net'

dig returns an empty result set with SERVFAIL status.

Expected results:
A records are returned successfully

Additional info:
It looks like this may be fixed (or at least less likely to occur) in systemd 248, based on the commit below.
GitHub issue: https://github.com/systemd/systemd/issues/9690
Linked commit: https://github.com/systemd/systemd/commit/e0ae456a554d0fce250f9a009c561b97f20c41f8

Workaround:
I have enabled DNS over HTTPS in Firefox to work around the defect in resolved. In this configuration, LinkedIn.com content loads correctly.

Comment 1 Zbigniew Jędrzejewski-Szmek 2021-05-14 09:36:39 UTC

*** Bug 1950166 has been marked as a duplicate of this bug. ***

Comment 2 Fedora Update System 2021-05-15 20:55:58 UTC

FEDORA-2021-25202922d4 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-25202922d4

Comment 3 Fedora Update System 2021-05-16 03:02:44 UTC

FEDORA-2021-25202922d4 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-25202922d4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-25202922d4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2021-05-27 01:04:28 UTC

FEDORA-2021-25202922d4 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.