[Bug 216260] dns/djbdns: loop detection false positives.

Thu Jan 19 17:23:18 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216260

            Bug ID: 216260
           Summary: dns/djbdns: loop detection false positives.
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: lx at FreeBSD.org
          Reporter: tjd-freebsd at phlegethon.org
             Flags: maintainer-feedback?(lx at FreeBSD.org)
          Assignee: lx at FreeBSD.org

Created attachment 179072
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=179072&action=edit
Patch to bump loop detection limit from 100 to 500.

djbdns will give up resolving a name after 100 queries, to avoid following
CNAME loops forever.  But 'modern' CDNs use complex layers of DNS redirection
that can hit this limit when resolving a valid query from a cold cache. 

I found that resolving the Let's Encrypt OCSP responder
(ocsp.int-x3.letsencrypt.org.) through dnscache would fail and time out. 

The attached patch bumps the limit from 100 to 500, and makes that particular
name resolve again on my system (10.3-RELEASE-p11 amd64,
djbdns-ipv6-1.05.b23_21,1 with IP6 config enabled).

I searched a bit and it looks like this is a known issue, WONTFIX'd upstream.

-- 
You are receiving this mail because:
You are the assignee for the bug.