Bug 216260 - dns/djbdns: loop detection false positives.
Summary: dns/djbdns: loop detection false positives.
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: David Thiel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-19 17:23 UTC by tjd-freebsd
Modified: 2018-06-12 17:09 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (lx)


Attachments
Patch to bump loop detection limit from 100 to 500. (466 bytes, patch)
2017-01-19 17:23 UTC, tjd-freebsd
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description tjd-freebsd 2017-01-19 17:23:18 UTC
Created attachment 179072 [details]
Patch to bump loop detection limit from 100 to 500.

djbdns will give up resolving a name after 100 queries, to avoid following CNAME loops forever.  But 'modern' CDNs use complex layers of DNS redirection that can hit this limit when resolving a valid query from a cold cache. 

I found that resolving the Let's Encrypt OCSP responder (ocsp.int-x3.letsencrypt.org.) through dnscache would fail and time out. 

The attached patch bumps the limit from 100 to 500, and makes that particular name resolve again on my system (10.3-RELEASE-p11 amd64, djbdns-ipv6-1.05.b23_21,1 with IP6 config enabled).

I searched a bit and it looks like this is a known issue, WONTFIX'd upstream.
Comment 1 Walter Schwarzenfeld freebsd_triage 2018-01-14 03:50:14 UTC
Maintainer feedback?
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-01-16 19:55:01 UTC
A commit references this bug:

Author: lx
Date: Tue Jan 16 19:54:19 UTC 2018
New revision: 459204
URL: https://svnweb.freebsd.org/changeset/ports/459204

Log:
  Bump loop detection limit to 500

  PR:		216260
  Submitted by:	tjd-freebsd@phlegethon.org

Changes:
  head/dns/djbdns/Makefile
  head/dns/djbdns/files/patch-query.c
Comment 3 David Thiel freebsd_committer freebsd_triage 2018-01-16 19:57:49 UTC
Committed, while I despair at living in a world where 100 DNS queries isn't enough to resolve a name.
Comment 4 Bryan Drewery freebsd_committer freebsd_triage 2018-06-11 23:01:18 UTC
(In reply to David Thiel from comment #3)
> Committed, while I despair at living in a world where 100 DNS queries isn't
> enough to resolve a name.

500 seems a bit absurd though...
Comment 5 David Thiel freebsd_committer freebsd_triage 2018-06-12 17:09:07 UTC
I mean, 100 seems absurd to me, but I guess I'm old. You're welcome to twiddle it to something else if you think need be.