samba dns - blob length too large

Bob Miller bob at computerisms.ca
Fri Feb 1 11:55:25 MST 2013 

Kai,

I don't normally send in html, but it makes it much easier to read
output from tcpdump.

On Fri, 2013-02-01 at 09:53 +0100, Kai Blin wrote:

> On 2013-01-31 20:01, Bob Miller wrote:
> 
> Hi Bob,
> 
> > Not authoritative for 'remotedomain.yk.ca', forwarding
> > 2013-01-31 09:37:11.168990500 ndr_push_error(6): Invalid...Unexpected
> > blob length is too large
> > 2013-01-31 09:37:11.169000500 Failed to push packet: Length Error!
> 
> Can you reliably reproduce this? If so, can you get me a network trace
> of this?
> 
> Cheers,
> Kai
> 


The problem can be reliably produced with the command 'dig -t any' being
run against any number of domains, including samba.org.

I have not figured out exactly what the common denominator is, I thought
it was long records, such as DNSKEY and RRSIG, but the more I test, the
less sure of that I am.  For example, I can run 'dig -t any samba.org'
and it fails, but 'dig -t mx samba.org' works; 'dig -t any isc.org'
fails, and 'dig -t mx isc.org' seems to work most of the time, but I got
a server fail from that command once this morning.  'dig -t rrsig
isc.org' fails every time, though, so the long records certainly aren't
helping.

In my case I have one domain that is a show stopper if I can't retrieve
ANY record from it.  I presume this problem won't happen if I convert to
bind, which I will have to do this weekend if there is no current
solution using internal dns.  It is probably too much to hope I can
change a number in a file somewhere, recompile, and have a working
system...

since isc.org is easy to type, I have used their name to produce the
following result (primelian/192.168.120.50 is the DC,
doorlian/192.168.120.1 is the bind server):

root at primelian:/# dig -t any isc.org @127.0.0.1

; <<>> DiG 9.8.1-P1 <<>> -t any isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15819
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;isc.org.			IN	ANY

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb  1 09:52:48 2013
;; MSG SIZE  rcvd: 25

Conversely, when I run the same query against the bind server:

root at primelian:/# dig -t any isc.org @192.168.120.1

; <<>> DiG 9.8.1-P1 <<>> -t any isc.org @192.168.120.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45342
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 0

;; QUESTION SECTION:
;isc.org.			IN	ANY

;; ANSWER SECTION:
isc.org.		20206	IN	RRSIG	DS 7 2 86400 20130215155910 20130125145910
41790 org. QBBoj5ff3qG+6tpL7BP6qprQqs8wGD8+yUX4YiZpWWQf0sL9w5njSrOn
T4y6CTP+DU9pIdjZqJesSHkTUHIV0atK8p2JGuW0Q5H5qhtVNYWWOCM2 At
+2qUTYu/+9YWFIIWq8v0pB2alNpHm4MN48I+gL2H5EOo2mRFN1DUhA MBs=
isc.org.		20206	IN	DS	12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.		20206	IN	DS	12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759

;; AUTHORITY SECTION:
org.			81636	IN	NS	a0.org.afilias-nst.info.
org.			81636	IN	NS	b2.org.afilias-nst.org.
org.			81636	IN	NS	c0.org.afilias-nst.info.
org.			81636	IN	NS	a2.org.afilias-nst.info.
org.			81636	IN	NS	d0.org.afilias-nst.org.
org.			81636	IN	NS	b0.org.afilias-nst.org.

;; Query time: 28 msec
;; SERVER: 192.168.120.1#53(192.168.120.1)
;; WHEN: Fri Feb  1 10:05:41 2013
;; MSG SIZE  rcvd: 410

A simple network dump from the samba side:

root at primelian:/# tcpdump -n -i eth0 host 192.168.120.1 and port 53

10:07:37.418678 IP 192.168.120.50.43798 > 192.168.120.1.53: 34282+ ANY?
isc.org. (25)
10:07:37.419641 IP 192.168.120.1.53 > 192.168.120.50.43798: 34282 3/6/0
RRSIG, DS, DS (410)

And a simple network dump from the bind side of the same query:

root at doorlian:/var/log# tcpdump -n -i eth1 port 53 and host
192.168.120.50

10:10:11.463880 IP 192.168.120.50.35005 > 192.168.120.1.53: 6551+ ANY?
isc.org. (25)
10:10:11.464283 IP 192.168.120.1.53 > 192.168.120.50.35005: 6551 3/6/0
RRSIG, DS, DS (410)



Here is a samba side dump in greater detail:

root at primelian:/# tcpdump -v -n -i eth0 host 192.168.120.1 and port 53
-A -s1500
09:56:46.309359 IP (tos 0x0, ttl 64, id 37708, offset 0, flags [DF],
proto UDP (17), length 53)
    192.168.120.50.35800 > 192.168.120.1.53: 26030+ ANY? isc.org. (25)
E..5.L at .@.5...x2..x....5.!q.e............isc.org.....
09:56:46.309916 IP (tos 0x0, ttl 64, id 63516, offset 0, flags [none],
proto UDP (17), length 438)
    192.168.120.1.53 > 192.168.120.50.35800: 26030 3/6/0 isc.org. RRSIG,
isc.org. DS, isc.org. DS (410)
H at 0....+....Q...2\...!...Lj..j.."7...?.Y...+....Q..$2
\.............#..;..s..-_...wXm.....7...... at ....c0.org.afilias-nst.info..7......@....d0.org.afilias-nst.7.7...... at ....b2.D.7......@....a0...7...... at ....a2...7......@....b0.D


Here is the detailed dump from the bind server side:

root at doorlian:/var/log# tcpdump -v -n -i eth1 port 53 and host
192.168.120.50 -A -s1500
10:03:48.097665 IP (tos 0x0, ttl 64, id 12083, offset 0, flags [DF],
proto UDP (17), length 53)
    192.168.120.50.57859 > 192.168.120.1.53: 43303+ ANY? isc.org. (25)
E..5/3 at .@.....x2..x....5.!.".'...........isc.org.....
10:03:48.098119 IP (tos 0x0, ttl 64, id 64541, offset 0, flags [none],
proto UDP (17), length 438)
    192.168.120.1.53 > 192.168.120.50.57859: 43303 3/6/0 isc.org. RRSIG,
isc.org. DS, isc.org. DS (410)
H at 0....+....O_..2\...!...Lj..j.."7...?.Y...+....O_.$2
\.............#..;..s..-_...wXm.....7......?U...d0.org.afilias-nst.7.7......?U...a0.org.afilias-nst.info..7......?U...b2...7......?U...c0. at .7......?U...a2. at .7......?U...b0..


If there is anything else I can provide or any assistance I can offer,
please let me know, I am eager to provide it...

More information about the samba-technical mailing list