Bug 618 - Incorrect work ip-address whith 0.0.0.0 and few ip in nsd.config
Incorrect work ip-address whith 0.0.0.0 and few ip in nsd.config
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.1.x
x86_64 Linux
: P5 normal
Assigned To: NSD team
: 683 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-04 02:12 CET by Sergei Mamonov
Modified: 2015-07-16 10:57 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Mamonov 2014-11-04 02:12:31 CET
We have
nsd 4.1.0 realase, but it actual it 4.0.4 too.
If we not set ip-address and use default - "(default are the wildcard interfaces 0.0.0.0 and ::0" and we have two ip like eth0 and eth0:1 or venet0:0 and venet0:1 nsd correct work only on main ip.

As example - 
nsd-control status
version: 4.1.0
verbosity: 1
ratelimit: 2

ifconfig
....
venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.122.204  P-t-P:192.168.122.204  Bcast:192.168.122.204  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.122.224  P-t-P:192.168.122.224  Bcast:192.168.122.224  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

netstat -ntulp | grep 53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      27468/nsd       
tcp6       0      0 :::53                   :::*                    LISTEN      27468/nsd       
udp        0      0 0.0.0.0:53              0.0.0.0:*                           27468/nsd       
udp6       0      0 :::53                   :::*                                27468/nsd    

From local server whith nsd all good - 
root@debian-7:/# dig @192.168.122.204 testdkimdomain.org +short
78.47.76.4
root@debian-7:/# dig @192.168.122.224 testdkimdomain.org +short
78.47.76.4

But from outside main ip work good - 
dig @192.168.122.204 testdkimdomain.org +short
78.47.76.4
Second ip - doesnt work correct - 
 dig @192.168.122.224 testdkimdomain.org +short
;; reply from unexpected source: 192.168.122.204#53, expected 192.168.122.224#53
;; reply from unexpected source: 192.168.122.204#53, expected 192.168.122.224#53
;; reply from unexpected source: 192.168.122.204#53, expected 192.168.122.224#53

; <<>> DiG 9.9.5-4-Debian <<>> @192.168.122.224 testdkimdomain.org +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
sudo  nmap  -sU -p 53 192.168.122.224

Starting Nmap 6.46 ( http://nmap.org ) at 2014-11-04 04:09 MSK
Nmap scan report for 192.168.122.224
Host is up (0.070s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain
MAC Address: 52:54:00:F3:CE:01 (QEMU Virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds


Only if we set in config
         ip-address: 192.168.122.204
         ip-address: 192.168.122.224
         ip-address: ::0
It be work fine from outside whith second ip - 
dig @192.168.122.224 testdkimdomain.org +short
78.47.76.4
Comment 1 Wouter Wijngaards 2014-11-04 09:24:56 CET
Hi Sergei,

Your second configuration is the one you have to use.  You probably also have to list the IPv6 address specifically.

The first one instructs your OS to perform selection of the interface when sending packets, and it selects wrongly.  In some cases you can fix the OS selection by changing the route tables.

In your case, it seems you found the configuration that works.  For NSD (and also unbound) we do not consider this a bug, you have to list the IP-addresses specifically.  Was there something that we can improve?

Best regards,
   Wouter
Comment 2 Sergei Mamonov 2014-11-04 11:05:20 CET
But it is a bug =)
It have option whith wildcard and it is doesnt work.
In pdns.conf I have - 
local-address=0.0.0.0
and it work correctly whith both ip.
In nsd.conf if I set
ip-address: 0.0.0.0
And in default nsd.conf write 
"
    # uncomment to specify specific interfaces to bind (default are the
    # wildcard interfaces 0.0.0.0 and ::0).
"
But it doent work correct. It work in fact only whith one ip.

Write all ip in "ip-address:" - is not correct behavior of the system.
It is a not nice hack to bypass not work wildcard, imho.
Comment 3 Wouter Wijngaards 2014-11-04 11:11:06 CET
Hi Sergei,

NSD can use something that makes this wildcard statement work for these cases.  If we want to fix this, it would take some code to do so (setting specific socket options that are not always portable).  That is somewhat or a larger code change, so I am not going to implement this straight away, this change is noted for future NSD releases.

Previously we told people to write down all IPs.  But the change to have this work automatically is certainly something we are considering to improve.

Best regards,
   Wouter
Comment 4 Dovid Bender 2015-07-12 18:04:16 CEST
*** Bug 683 has been marked as a duplicate of this bug. ***
Comment 5 Dovid Bender 2015-07-12 18:05:09 CEST
I had the same issue as well. I opened a bug report and then closed it once I saw this one. If this is how it needs to be set up at the very least it should be documented as such. I also see this as a bug.
Comment 6 Wouter Wijngaards 2015-07-16 10:57:05 CEST
Hi Sergei, Dovid,

Documented this in the sample config and man page.  This closes the bug issue; the option to have socket options to identify the interface stays on the featurelist.

Hopefully the documentation prevents others from encountering this issue.

Thank you for reporting this, making the product useful in production environments is an important consideration for us.

Best regards, Wouter