These are chat archives for CZ-NIC/knot-resolver

7th
Jan 2019
micah
@micah
Jan 07 17:24
hi all, I've uncovered a strange bug with knot-resolver. I'm getting failures when trying to resolve things with php against knot-resolver. I get correct results against BIND with php, and I get correct results with python, postfix, dig, etc. against knot-resolver.
If I do: php -r "print_r(dns_get_record('cnn.com'));" I get:
PHP Warning: dns_get_record(): A temporary server error occurred. in Command line code on line 1
if I then do dig cnn.com, I get a proper result.
I did straces to try and find a difference in syscalls, but I didn't see anything obvious. I see the socket/connect/poll/recvfrom/close dance, but nothing obviously different.
Originally, I was very confused why php stopped working, I eventually traced the beginning of the failure to when I switched from BIND to knot-resolver for my recursive resolver. I found that when I use the resolver provided from cloudflare, I also get the broken responses. But I do not get broken responses from google's resolver. It took me some time to find out that CF is using knot.
Originally, I thought: well, this is a php bug... but if knot-resolver is providing something in its response that makes php not work, that means php resolution is failing everywhere that knot-resolver is used :o
micah
@micah
Jan 07 19:13
I seem to get NotImp q: ANY? cnn.com. in response from knot-resolver
but when I use python, I get q: A? cnn.com. 4/0/0 cnn.com. [1m] A 151.101.1.67, cnn.com. [1m] A 151.101.65.67, cnn.com. [1m] A 151.101.129.67, cnn.com. [1m] A 151.101.193.67 (89)
micah
@micah
Jan 07 19:42
It seems like a good thing to disable ANY? but I think that cloudflare (and perhaps knot-resolver people) maybe didn't realize that all of PHP uses this
Vladimír Čunát
@vcunat
Jan 07 20:20
Yes, knot-resolver doesn't support ANY queries.
There's also standards-track RFC about that just awaiting publication: https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-07
Vladimír Čunát
@vcunat
Jan 07 20:33
I suggest you pass explicit types to the dns_get_record(). Note that ANY never guaranteed that the result will contain A records if they exist. The server was always free to return whatever subset of types it liked.
micah
@micah
Jan 07 20:34
Thanks @vcunat - yeah, I'm changing the code to lookup the A and AAAA record instead.
Vladimír Čunát
@vcunat
Jan 07 20:34
That made it most useful for attacks. (And debugging, too.)
micah
@micah
Jan 07 20:34
one day php will be burned to the ground
Vladimír Čunát
@vcunat
Jan 07 20:34
Well, yes, A might've been a better default for the function.