Closed Bug 1635566 Opened 5 years ago Closed 5 years ago

logincdn.msauth.net fails to resolve if network.trr.mode=3

Categories

(Core :: Networking: DNS, defect, P2)

Product:
Core
Component:
Networking: DNS
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: kevin, Assigned: valentin)

References

(
URL
)

Details

(Whiteboard: [necko-triaged][trr])

Attachments

(4 files)

Network log during about:networking#dnslookuptool for logincdn.msauth.net
479.89 KB, text/plain
Details
Bug 1635566 - Create reusable code for running TRR tests in a separate node container r=#necko
47 bytes, text/x-phabricator-request
Details | Review
Bug 1635566 - TRR: lowercase cname after reading it from the packet r=#necko
47 bytes, text/x-phabricator-request
Details | Review
Bug 1635566 - TRR: Perform a case-insensitive match for the host name r=#necko
47 bytes, text/x-phabricator-request
Details | Review

Using Firefox 75.0 on Debian x64, Nightly 78.0a1 (2020-05-05) on Debian x64, and Nightly 78.0a1 (2020-05-05) on Windows 10.0.18363, with network.trr.mode=3 (with or without network.trr.bootstrapAddress=104.16.249.249) in about:config, attempting to visit any https://logincdn.msauth.net/ URL (used by Microsoft SSO) fails with "We can’t connect to the server at logincdn.msauth.net". On about:networking#dnslookuptool domain logincdn.msauth.net shows NS_ERROR_UNKNOWN_HOST.

curl --doh-url https://mozilla.cloudflare-dns.com/dns-query https://logincdn.msauth.net/ works. https://dohjs.org/ shows a response for A logincdn.msauth.net using https://mozilla.cloudflare-dns.com/dns-query with the following chain:

logincdn.msauth.net IN CNAME lgincdn.trafficmanager.net
lgincdn.trafficmanager.net IN CNAME lgincdnmsftuswe2.azureedge.net
lgincdnmsftuswe2.azureedge.net IN CNAME lgincdnmsftuswe2.afd.azureedge.net
lgincdnmsftuswe2.afd.azureedge.net IN CNAME afd.t-0001.t-msedge.net
afd.t-0001.t-msedge.net IN CNAME t-0001.t-msedge.net
t-0001.t-msedge.net IN CNAME Edge-Prod-WSTr3.ctrl.t-0001.t-msedge.net
Edge-Prod-WSTr3.ctrl.t-0001.t-msedge.net IN CNAME standard.t-0001.t-msedge.net
standard.t-0001.t-msedge.net IN A 13.107.246.10

From the log (attached) it appears that Firefox was only able to follow the response up to Edge-Prod-WSTr3.ctrl.t-0001.t-msedge.net before failing. (But I could be misreading it.)

Valentin, could you take a look?
Thanks.

Flags: needinfo?(valentin.gosu)

Hi,

Thanks for the report and the excellent logs.
It does seem to indicate a bug in Firefox; kinda.
So, when Firefox follows the CNAME chain, it requests the domain with capital letters, as encountered in the chain, but the response is lower-cased, so we ignore it because it doesn't match what we requested.

2020-05-05 20:32:46.694619 UTC - [Parent 1490133: TRR Background]: D/nsHostResolver TRR asked for Edge-Prod-WSTr3.ctrl.t-0001.t-msedge.net data but got edge-prod-wstr3.ctrl.t-0001.t-msedge.net

I guess we should normalize the domain at some point.

Assignee: nobody → valentin.gosu
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(valentin.gosu)
Priority: -- → P2
Whiteboard: [necko-triaged][trr]

Thanks Valentin! Good catch. Very interesting.

For reference, the DoH response shown by dohjs has consistent capitalization, so it may be getting normalized to lower-case somewhere in the code.

I also took a peek at glibc to see what it's doing. Looks like all CNAME matching is done with strcasecmp (most via ns_samename): https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/ns_samedomain.c;h=5d1bf39fc7#l190

This is according to RFC 4343 : Domain Name System (DNS) Case Insensitivity Clarification

Depends on D75079

Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/832dfd3bf2dd Create reusable code for running TRR tests in a separate node container r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/d9b4727f85cf TRR: lowercase cname after reading it from the packet r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/873f7e079fd8 TRR: Perform a case-insensitive match for the host name r=necko-reviewers,dragana
Regressions: 1638071
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/24e4d55fdbb8 Create reusable code for running TRR tests in a separate node container r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/c04bd90516d5 TRR: lowercase cname after reading it from the packet r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/84dceb22a31d TRR: Perform a case-insensitive match for the host name r=necko-reviewers,dragana
Flags: needinfo?(valentin.gosu)

I can confirm that the issue appears to be fixed on the latest nightly (78.0a1 2020-05-27). Thank you!
Is the fix likely to be applied to 77 or 68ESR?
If it makes a difference for prioritization, there are other affected microsoft.com subdomains (e.g. https://dotnet.microsoft.com/platform/support/policy).

(In reply to Kevin Locke from comment #11)

I can confirm that the issue appears to be fixed on the latest nightly (78.0a1 2020-05-27). Thank you!
Is the fix likely to be applied to 77 or 68ESR?
If it makes a difference for prioritization, there are other affected microsoft.com subdomains (e.g. https://dotnet.microsoft.com/platform/support/policy).

Most likely not going to be uplifted.
ESR68 has other issues.
77 will hit release in one week, so there's not enough time for testing if we do uplift.

(In reply to Valentin Gosu [:valentin] (he/him) from comment #12)

Most likely not going to be uplifted.

Oh well. Thanks for the info. (And the fix!) I'll look forward to it in 78.

Regressions: 1640724
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: