Broken subdomain resolution (eg. sub.domain.local)

[Jack12816]

Hey there! First things first: thanks for maintaining the nss-mdns extension!

I found a regression between 0.10 and 0.14.1 regarding the subdomain resolution.
Unfortunately, I was affected by an Arch Linux package upgrade which directly upgraded
0.10-7 to 0.14.1-1 (x86_64), so I cannot bisect the initial broken version right now.

The issue happens only on subdomains, not regular domains. (test.local resolves properly,
while sub.test.local does not) Here comes a little demo session:

$ pacman -Q nss-mdns
nss-mdns 0.10-7

$ avahi-resolve -n sub.test.local
sub.test.local	172.17.0.14

$ ping -c1 sub.test.local
PING sub.test.local (172.17.0.14) 56(84) bytes of data.
64 bytes from 172.17.0.14 (172.17.0.14): icmp_seq=1 ttl=64 time=0.044 ms

And with 0.14.1:

$ pacman -Q nss-mdns
nss-mdns 0.14.1-1

$ avahi-resolve -n sub.test.local
sub.test.local	172.17.0.14

$ ping -c1 sub.test.local
PING jabber.subsub.local.workstation.lan (10.0.0.140) 56(84) bytes of data.
64 bytes from workstation.localdomain (10.0.0.140): icmp_seq=1 ttl=64 time=0.022 ms

avahi-resolve is working properly, ping according to nss with nss-mdns not.
The latter IP (10.0.0.140 is my host IP)

My /etc/nsswitch.conf looks like this:

hosts: files mymachines mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname

Which is working fine with the 0.10 version. I also tried to use the mdns4 module
instead of the mdns4_minimal one, without effect.

A regular avahi config for a subdomain in use looks like this (/etc/avahi/avahi-daemon.conf):

[server]
host-name=sub
domain-name=test.local
#browse-domains=0pointer.de, zeroconf.org
use-ipv4=yes
use-ipv6=yes
#allow-interfaces=eth0
#deny-interfaces=eth1
#check-response-ttl=no
#use-iff-running=no
#enable-dbus=yes
#disallow-other-stacks=no
#allow-point-to-point=no
#cache-entries-max=4096
#clients-max=4096
#objects-per-client-max=1024
#entries-per-entry-group-max=32
ratelimit-interval-usec=1000000
ratelimit-burst=1000

[wide-area]
enable-wide-area=yes

[publish]
#disable-publishing=no
#disable-user-service-publishing=no
#add-service-cookie=no
#publish-addresses=yes
publish-hinfo=no
publish-workstation=no
#publish-domain=yes
#publish-dns-servers=192.168.50.1, 192.168.50.2
#publish-resolv-conf-dns-servers=yes
#publish-aaaa-on-ipv4=yes
#publish-a-on-ipv6=no

[reflector]
#enable-reflector=no
#reflect-ipv=no

[rlimits]
#rlimit-as=
#rlimit-core=0
#rlimit-data=8388608
#rlimit-fsize=0
#rlimit-nofile=768
#rlimit-stack=8388608
#rlimit-nproc=

[agoode]

Hi! Thanks for your detailed report.

This is a known change in nss-mdns. You will need to use the non-minimal version of the code and also configure /etc/mdns.allow.

See https://github.com/lathiat/nss-mdns/blob/master/README.md#etcmdnsallow for more information.

If this does not work for you, or if this is not flexible enough for your needs, please reopen the issue.

[Jack12816]

I can confirm the "workaround" is doing fine. So configuring /etc/mdns.allow and
using the mdns4 nss extension makes it work again. But that's quite bad for
two reasons:

1. That broke the world for some serious setups after 11 years (two and more labels per local domain are supported by Avahi out-of-the-box, so nss-mdns as a supplementary product is not working anymore oob with some advanced Avahi setups)
2. We are forced to reconfigure nss-mdns and use the non-minimal extension which is sayed to cause lookup timing issues to make use of the reconfiguration (so we are doomed with issues to use a long available feature from now on)

Apple published the article this year (May 17, 2018) with the standard heuristics, so I would argue that the old (expected) behaviour takes precedence over the new one. Not for the unicast SOA heuristic, but for the two-label limit heuristic.

As a compromise we could disable the two-label limit heuristic on the mdns4_minimal nss extension which is generally in use as far as I know, and enable it on the mdns4 extension. Then no user is forced to configure nss-mdns to make it work in combination with oob Avahi. Users who reconfigured Avahi/nss-mdns for a different top level domain had to use the mdns4 extension in combination with the /etc/mdns.allow file definitely.

I would like to restore the original behaviour at this point somehow.

[agoode]

We can implement the reverse lookup limiting functionality in non-MINIMAL configurations, to fix the comment in issue #46.

The two-label limit heuristic was implemented in Mac OS X v10.5, released 2007-10-26, 10 years ago.
The unicast SOA heuristic was implemented in Mac OS X v10.6, released 2009-08-28, 8 years ago.

As far as I know, these heuristics were documented around the time of release, and certainly before 2018. The oldest version of the URL saved at archive.org is from 2014.

Probably the thing to do is to create a new config file that both MINIMAL and non-MINIMAL read identically and would let us precisely specify the configuration in all cases. The old /etc/mdns.allow could remain for compatibility for non-MINIMAL if the new file isn't present.

[agoode]

I think #65 would address this issue.