Segfault on specific domains with DNSSEC validation

[smeinecke]

I've tested it multiple times with multiple versions of the getdns library and the getdns-node module and node (v6, v8 and v9) and it seems as if I send a request with enabled DNSSEC validation for specific domains I get the following segmentation fault and the whole node process dies.

My local resolver is unbound 1.6.7

const getdns = require('getdns');
var ctx = getdns.createContext({
        // Upstream recursive servers.
        upstreams : [ '127.0.0.1', ],
        // Request timeout time in milliseconds.
        timeout : 5000,
        // Always return DNSSEC status.
        return_dnssec_status : true
    });

var extensions = {
    // NOTE: enforce DNSSEC security validation and return only secure replies.
    dnssec_return_only_secure: true,
};

var domains = [ 'nic.menu', 'nic.uno', 'nic.onl', 'nic.buzz', 'nic.pink', 'nic.build', 'nic.rich', 'nic.red', 'nic.luxury', 'nic.shiksha', 'nic.kim' ],
    i = 0;
ctx.general(domains[i], getdns.RRTYPE_SOA, extensions);

node: ../deps/uv/src/unix/poll.c:120: uv_poll_start: Assertion `!(((handle)->flags & (UV_CLOSING | UV_CLOSED)) != 0)' failed.

with enabled segfault-handler:

PID 3770 received SIGSEGV for address: 0x7f2342e3ed88
/home/daemons/node_modules/segfault-handler/build/Release/segfault-handler.node(+0x1aaa)[0x7f213c651aaa]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf890)[0x7f2140538890]
node[0x1340739]
node(uv_poll_start+0x6f)[0x13379ff]
/home/daemons/getdns/build/Release/getdns.node(+0xadea)[0x7f213df72dea]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x2e4d9)[0x7f213dd234d9]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x3918c)[0x7f213dd2e18c]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x212ec)[0x7f213dd162ec]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x21aa1)[0x7f213dd16aa1]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x20b89)[0x7f213dd15b89]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x20d60)[0x7f213dd15d60]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x2205a)[0x7f213dd1705a]
/usr/lib/x86_64-linux-gnu/libgetdns.so.6(+0x2ff45)[0x7f213dd24f45]
/home/daemons/getdns/build/Release/getdns.node(+0xaf50)[0x7f213df72f50]
node[0x1340c08]
node(uv_run+0x156)[0x132f6d6]
node(_ZN4node5StartEiPPc+0x580)[0x10abcf0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f214019fb45]
node[0x7ba78d]

Any idea?

[smeinecke]

Oh, btw. the getdns commandline tool works fine:

# getdns_query +dnssec_return_status -a nic.menu SOA
{
  "answer_type": GETDNS_NAMETYPE_DNS,
  "canonical_name": <bindata for nic.menu.>,
  "replies_full":
  [
     <bindata of 0x000081a00001000200000001036e6963...>
  ],
  "replies_tree":
  [
    {
      "additional":
      [
        {
          "do": 1,
          "extended_rcode": 0,
          "rdata":
          {
            "rdata_raw": <bindata of 0x>
          },
          "type": GETDNS_RRTYPE_OPT,
          "udp_payload_size": 65535,
          "version": 0,
          "z": 0
        }
      ],
      "answer":
      [
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for nic.menu.>,
          "rdata":
          {
            "expire": 1814400,
            "minimum": 1800,
            "mname": <bindata for a.nic.menu.>,
            "rdata_raw": <bindata of 0x0161c00c07737570706f72740b617269...>,
            "refresh": 1800,
            "retry": 300,
            "rname": <bindata for support.ariservices.com.>,
            "serial": 1518897626
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_SOA
        },
        {
          "class": GETDNS_RRCLASS_IN,
          "name": <bindata for nic.menu.>,
          "rdata":
          {
            "algorithm": 8,
            "key_tag": 64353,
            "labels": 2,
            "original_ttl": 900,
            "rdata_raw": <bindata of 0x00060802000003845ad7b9805ab01e70...>,
            "signature": <bindata of 0x463819766cb4943f4a665411caf8601b...>,
            "signature_expiration": 1524087168,
            "signature_inception": 1521491568,
            "signers_name": <bindata for nic.menu.>,
            "type_covered": GETDNS_RRTYPE_SOA
          },
          "ttl": 900,
          "type": GETDNS_RRTYPE_RRSIG
        }
      ],
      "answer_type": GETDNS_NAMETYPE_DNS,
      "authority": [],
      "canonical_name": <bindata for nic.menu.>,
      "dnssec_status": GETDNS_DNSSEC_SECURE,
      "header":
      {
        "aa": 0,
        "ad": 1,
        "ancount": 2,
        "arcount": 1,
        "cd": 0,
        "id": 0,
        "nscount": 0,
        "opcode": GETDNS_OPCODE_QUERY,
        "qdcount": 1,
        "qr": 1,
        "ra": 1,
        "rcode": GETDNS_RCODE_NOERROR,
        "rd": 1,
        "tc": 0,
        "z": 0
      },
      "question":
      {
        "qclass": GETDNS_RRCLASS_IN,
        "qname": <bindata for nic.menu.>,
        "qtype": GETDNS_RRTYPE_SOA
      }
    }
  ],
  "status": GETDNS_RESPSTATUS_GOOD
}

[smeinecke]

Does anyone have the same problem and could confirm this issue?

[joelpurra]

@smeinecke: thanks for the report and test code! I can confirm the problem, but see below for configuration details.

• Which version of getdns do you have installed on your machine?
• Do you see the same problem (if possible to test) in unbound v1.7.0?

I sometimes get segfaults from unbound, but haven't had enough time to dig deep enough. @wcawijngaards tried to explain what I was looking at in the weekly getdns developer's hangouts meeting once (or twice) but it's not a level of programming I'm fast/comfortable debugging.

My setup:

• macOS 10.13.3 High Sierra.
• getdns v1.4.1 installed using the getdns homebrew formula.
• Tested with both unbound v1.6.7 and v1.7.0, both installed/switched using the unbound homebrew formula.
• Node.js v9.11.1 installed using n.

Recursive mode

Note that you are running in default recursive mode, as resolution_type: getdns.RESOLUTION_STUB was not set in the context; your upstreams should be ignored. (See also getdns_query below.)

// NOTE: need a callback to run test code.
const loggingCallback = (...args) => { console.log(...args); };

// NOTE: added callback to single test lookup.
ctx.general(domains[i], getdns.RRTYPE_SOA, extensions, loggingCallback);

// NOTE: looping over all example domains also works.
domains.forEach((domain) => ctx.general(domain, getdns.RRTYPE_SOA, extensions, loggingCallback));

Your test code seems to work for me in recursive mode, after adding a simple lookup result callback.

• Did you test locally in recursive or stub mode?
• Was the result the same, or different?

Note that the results should contain status GETDNS_RESPSTATUS_GOOD (900) and per-answer dnssec_status GETDNS_DNSSEC_SECURE (400).

Stub mode

{
// NOTE: added option for stub resolver context, deferring lookups to the upstream recursive servers.
resolution_type: getdns.RESOLUTION_STUB,
upstreams: ...
}

The test code segfaults in stub mode. Testing with other domains (joelpurra.se, getdnsapi.net) surprisingly works well.

• What is different about your provided test domains?
  • Something in the DNS reply in general?
  • Something with DNSSEC?

getdns_query

Note that you are running getdns_query in recursive mode as well. Try this:

# NOTE: use local dns server in stub mode.
getdns_query @127.0.0.1 +dnssec_return_status -s -a nic.menu SOA

unbound

Even if getdns_query works, can you confirm that your local unbound resolver is correctly set up to handle DNSSEC lookups? I've forgotten to do that before.

# NOTE: check that "flags" include "ad".
dig @127.0.0.1 com. SOA +adflag

[NodePing]

Just getting started with getdns and I'm seeing the same thing. Only with DNSSEC enabled queries and only about 1/4 of the time do they segfault. I'm doing a query for A records.

I'm using remote resolvers (authoritative ones). I've tried several different ones and it doesn't seem to make a difference what the resolvers are.

When it segfaults the runtime is about 1/10 of a regular query (22ms vs 250ms) so I think it's dorking out before a response is received.

I hope that helps and you're able to track down the issue.