On Sun, Jun 23, 2024 at 01:56:41AM +0100, Kirill A. Korinsky wrote: > Greetings, > > I just realized that I forgot to add maintainer. > > So, I fix it. > > BTW the patch were accepted to freenginy: > https://freenginx.org/hg/nginx/rev/ea0eef2dd12c > > ports@ > > Here a trivial patch which improves compatibility with unwind. > > I'm using the following unwind.config: > > preference { recursor oDoT-autoconf } > > forwarder { 172.31.2.1 } > > force accept bogus forwarder { > some.internal.domain > } > > where 172.31.2.1 is Unifi GW and nginx is configured as: > > server { > listen 127.0.0.1:80; > > resolver 127.0.0.1; > > set $nas_uri "http://nas.some.internal.domain";; > > location / { > proxy_pass $nas_uri; > } > } > > it can't be used due errors in log: > > 2024/06/15 11:53:55 [error] 30452#0: invalid UDP DNS response 49184 > fl:81A0 > 2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 30883 > fl:81A0 > 2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 49184 > fl:81A0 > 2024/06/15 11:54:05 [error] 30452#0: invalid UDP DNS response 30883 > fl:81A0 > > because nginx rejects response with enabled AD bit.
It is possible to argue that it is correct in doing so, *if* it didn't set the AD flag in the request. See https://www.rfc-editor.org/rfc/rfc6840#section-5.8 So a question is: what did the request look like? I must say that the RFC using SHOULD here does not help a lot. -Otto > > So, here the diff to include a patch that allows it. This patch was sent to > both nginx and freenginx upstreams. > > diff --git www/nginx/Makefile www/nginx/Makefile > index e0ed50751ed..2051bc152b3 100644 > --- www/nginx/Makefile > +++ www/nginx/Makefile > @@ -21,7 +21,7 @@ COMMENT-securelink= nginx HMAC secure link module > VERSION= 1.26.1 > DISTNAME= nginx-${VERSION} > CATEGORIES= www > -REVISION-main= 0 > +REVISION-main= 1 > > VERSION-njs= 0.8.2 > VERSION-rtmp= 1.2.1 > diff --git www/nginx/patches/patch-src_core_ngx_resolver_c > www/nginx/patches/patch-src_core_ngx_resolver_c > new file mode 100644 > index 00000000000..b07cea4cc97 > --- /dev/null > +++ www/nginx/patches/patch-src_core_ngx_resolver_c > @@ -0,0 +1,12 @@ > +Index: src/core/ngx_resolver.c > +--- src/core/ngx_resolver.c.orig > ++++ src/core/ngx_resolver.c > +@@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha > + (response->nar_hi << 8) + response->nar_lo); > + > + /* response to a standard query */ > +- if ((flags & 0xf870) != 0x8000 || (trunc && tcp)) { > ++ if ((flags & 0xf850) != 0x8000 || (trunc && tcp)) { > + ngx_log_error(r->log_level, r->log, 0, > + "invalid %s DNS response %ui fl:%04Xi", > + tcp ? "TCP" : "UDP", ident, flags); > > > -- > wbr, Kirill >
