Version: 3.4.0 (using KDE 3.4.0, compiled sources) Compiler: gcc version 3.4.4 20050203 (prerelease) (Debian 3.4.3-9) OS: Linux (i686) release 2.6.10-1-k7 Hi, if I visit https://banking.diba.de I get "Unknown host banking.diba.de" while Firefox works fine. I tried different User Agents and KDE 3.3.2 without luck. Any ideas? Cheers, André
I cannot reproduce. It just loads slowly. And it's a bug in diba.de's DNS server. *** This bug has been marked as a duplicate of 68894 ***
On Friday 04 March 2005 03:37, Thiago Macieira wrote: > I cannot reproduce. It just loads slowly. sometimes it loads some parts of this site slowly but never the complete site. I ever get "Unknown host". FYI I use Squid as proxy but I also tried with disabled proxy. > And it's a bug in diba.de's DNS server. But as I mentioned Firefox can handle it somehow. > *** This bug has been marked as a duplicate of 68894 *** If I understand this correctly it's about ipv6. I disabled it some time ago as I read about perfomance issues due to ipv6 and broken DNS servers. Cheers, Andr
That's exactly the problem: broken DNS servers. diba.de are using one of those. However, this affacts only Konqueror when not using a proxy. If you are using a proxy, then this is a completely different issue. Reopen in that case. I'll probably need a traffic dump of when this happens.
On Friday 04 March 2005 11:53, Thiago Macieira wrote: >That's exactly the problem: broken DNS servers. diba.de are > using one of those. But Konqueror must be able to handle these too otherwise people just switch to another browser (i.e. my father is a computer novice and he will not differentiate to use Konqueror for this site and xy for that site - he'll just use xy for every site). > However, this affacts only Konqueror when not using a proxy. If you > are using a proxy, then this is a completely different issue. Reopen But I've the same behaviour in both case. > in that case. I'll probably need a traffic dump of when this happens. How can I help you? But remember it's a SSL secured connection.
Yes, we must handle that. We add the hostname to a blacklist of buggy DNS servers. That way, KDE will never speak IPv6 with any host in their domain, forever, until we reverse our decision. But if you have a problem when using proxies, I am not willing to accept this as a duplicate, since it should not affect. The traffic dump I need of is for the DNS and proxy traffic. The fact that it is an SSL connection should be of no consequence.
Assuming the problem is in kio/http, until proven otherwise.
On Saturday 05 March 2005 02:34, Thiago Macieira wrote: > Yes, we must handle that. We add the hostname to a blacklist > of buggy DNS servers. That way, KDE will never speak IPv6 with any > host in their domain, forever, until we reverse our decision. As I noted before I disabled ipv6 on kernel level. > But if you have a problem when using proxies, I am not willing to > accept this as a duplicate, since it should not affect. > > The traffic dump I need of is for the DNS and proxy traffic. The fact > that it is an SSL connection should be of no consequence. Sorry, I'm no network expert, could you tell me which app I should use to monitor the traffic and how to use it? Cheers, André
Make sure nothing else is using your network when you try this. Or else there will be unrelated packets being sent and received. To be sure, try this: tcpdump -pn You should see nothing going on. Then start this: tcpdump -Xs 1500 -pn -w /tmp/output (or tethereal -pn -w /tmp/output, same thing) Open your Konqueror and go to the site. Wait until the Stop button in Konqueror goes gray, or until you see the error message. Stop the dump (Ctrl+C), then create a .tar.gz of /tmp/output and attach it here. If you would feel better about it, send me the file in a private mail. I would also be interested in a similar dump for Firefox.
> OK, here you are, I wish you much luck :):) FYI, I'm using a DSL router > which provides the (local) DNS service. I have reviewed your files. Sorry for not doing so before -- I had missed your email in my inbox. Are you sure you're using a proxy? There's no evidence of proxying in your traffic dump. There is evidence of bugs in your DNS service. It simply doesn't reply to some of the queries, which get repeated. Maybe it's getting confused about several simultaneous queries about the same domain and is replying to one of them only. If that's the case, it's a bug in your DSL router.
On Thursday 17 March 2005 00:30, Thiago Macieira wrote: > > OK, here you are, I wish you much luck :):) FYI, I'm using a DSL router > > which provides the (local) DNS service. > > I have reviewed your files. Sorry for not doing so before -- I had missed > your email in my inbox. No problem, if it takes too long I send a reminder :) > Are you sure you're using a proxy? There's no evidence of proxying in your > traffic dump. I use no proxy with FireFox but I use Squid with Konqueror but also tried with disabled proxy (disabled via Tools menu). > There is evidence of bugs in your DNS service. It simply doesn't reply to > some of the queries, which get repeated. Maybe it's getting confused about > several simultaneous queries about the same domain and is replying to one > of them only. But why doesn't it occur with FireFox? > If that's the case, it's a bug in your DSL router. I also tried to use DNS of my ISP directly (does glibc react immediately to a change of /etc/resolv.conf or do I have to restart some services?). In this case Konqueror was much faster in displaying an error (missing 128 bit SSL feature, also if I try IE as browser identification). But I can repeat this test. What happens if you visit https://banking.diba.de or http://banking.diba.de Andr
It doesn't happen with Firefox because it doesn't send several simultaneous DNS queries about the same thing. We do. And the DNS server is supposed to answer them all. It seems, by your ISP's DNS testing, that the bug is in your router. We have an open bug report for serialising all DNS queries in a central place, but that won't happen before KDE 4. I'm sorry.
On Thursday 17 March 2005 18:47, Thiago Macieira wrote: > It doesn't happen with Firefox because it doesn't send > several simultaneous DNS queries about the same thing. We do. And the > DNS server is supposed to answer them all. > > It seems, by your ISP's DNS testing, that the bug is in your router. OK, then I'll file a BR there (AFAIK, Linux is running on the router :) > We have an open bug report for serialising all DNS queries in a > central place, but that won't happen before KDE 4. I'm sorry. Hmm, that are bad news :-( What are still open questions with my ISP's DNS: 1) with http:// I get a timeout error 2) with https// it works fast but diba.de complains about missing SSL (not so in KDE 3.3)
There's a definetely problem with diba.de's DNS servers. It's returning a ServFail error code when asked to resolve IPv6. It isn't like IPv6 is new -- it has been around for more than 6 years, so to not have proper nameserver is beyond lame. We have devised a "blacklist" for IPv6 hostnames. However, I've just noticed it isn't working. I am working on a fix.
CVS commit by thiago: Fix the bug that made the IPv6 blacklist not work where it was most wanted: in kioslaves. They don't have a kapp pointer... To be backported. CCBUG:100777 M +18 -5 kresolverstandardworkers.cpp 1.18 --- kdelibs/kdecore/network/kresolverstandardworkers.cpp #1.17:1.18 @@ -77,8 +77,21 @@ static bool hasIPv6() // blacklist management +static QMutex blacklistMutex; // KDE4: change to a QReadWriteLock QStringList KBlacklistWorker::blacklist; void KBlacklistWorker::init() { + // HACK! + // FIXME KDE4: How do I detect there is an instance, without triggering + // its creation or an assertion fault? + if (!KGlobal::_instance) + return; + + static bool beenhere = false; + + if (beenhere) + return; + + beenhere = true; loadBlacklist(); } @@ -86,7 +99,5 @@ void KBlacklistWorker::init() void KBlacklistWorker::loadBlacklist() { - if (!kapp) - return; - + QMutexLocker locker(&blacklistMutex); QStringList filelist = KGlobal::dirs()->findAllResources("config", "ipv6blacklist"); @@ -123,4 +134,6 @@ void KBlacklistWorker::loadBlacklist() bool KBlacklistWorker::isBlacklisted(const QString& host) { + KBlacklistWorker::init(); + // empty hostnames cannot be blacklisted if (host.isEmpty()) @@ -130,4 +143,6 @@ bool KBlacklistWorker::isBlacklisted(con QString ascii = QString::fromLatin1(KResolver::domainToAscii(host)); + QMutexLocker locker(&blacklistMutex); + // now find out if this hostname is present QStringList::ConstIterator it = blacklist.constBegin(), @@ -1005,6 +1020,4 @@ bool KGetAddrinfoWorker::wantThis(int fa void KNetwork::Internal::initStandardWorkers() { - KBlacklistWorker::init(); - //KResolverWorkerFactoryBase::registerNewWorker(new KResolverWorkerFactory<KBlacklistWorker>); KResolverWorkerFactoryBase::registerNewWorker(new KResolverWorkerFactory<KStandardWorker>);
You can do this now to browse banking.diba.de: echo diba.de >> ~/.kde/share/config/ipv6blacklist Please confirm that this works around the problem for you.
On Friday 18 March 2005 04:27, Thiago Macieira wrote: > You can do this now to browse banking.diba.de: > > echo diba.de >> ~/.kde/share/config/ipv6blacklist > > Please confirm that this works around the problem for you. No, it doesn't. As I wrote before I disabled ipv6 on kernel level. I still get timeouts with my router's DNS. And as noted before Konqueror 3.4 still complains about missing SSL while Konqueror 3.3.2 works fine (both with my ISP's DNS). Do you've any idea what could causing this?
You need to apply the patch that I committed (see comment #14) for it to work. Have you done so?
On Saturday 19 March 2005 16:37, Thiago Macieira wrote: > You need to apply the patch that I committed (see comment > #14) for it to work. Have you done so? Yes, I updated kdelibs. Any ideas with the SSL issue?
It's not in any released version. You have to get the sources, patch it and recompile. The SSL error doesn't happen here.
On Saturday 19 March 2005 22:06, Thiago Macieira wrote: > It's not in any released version. You have to get the > sources, patch it and recompile. I'm running CVS HEAD :) > The SSL error doesn't happen here. Which openssl version do you use? I'm using 0.9.7 and get the known warnings when the dynamic openssl lib is loaded.
I have OpenSSL 0.9.7e and I do get debug messages, but no dialog box is shown. Can you try going to your banking site while "tcpdump -pn port 53" is running? Tell me if the only query is of type A, or if something else is shown (AAAA or [|domain])
On Sunday 20 March 2005 17:10, Thiago Macieira wrote: > I have OpenSSL 0.9.7e and I do get debug messages, but no > dialog box is shown. Which dialog you're talking about. I mean the attached error message from diba.de (only a part of it to save bandwidth). > Can you try going to your banking site while "tcpdump -pn port 53" is > running? Tell me if the only query is of type A, or if something else > is shown (AAAA or [|domain]) Only type A but the following is strange: 8:55:23.098427 IP 192.168.178.22.32806 > 192.168.178.1.53: 1567+ A? banking.diba.de. (33) 18:55:23.144420 IP 192.168.178.22.32805 > 192.168.178.1.53: 52968+ A? banking.diba.de. (33) 18:55:23.152931 IP 192.168.178.1.53 > 192.168.178.22.32806: 52968 2/0/0 A 195.20.69.26, (65) 18:55:28.144703 IP 192.168.178.22.32807 > 192.168.178.1.53: 52969+ A? banking.diba.de. (33) 18:55:28.152664 IP 192.168.178.22.32808 > 192.168.178.1.53: 1568+ A? banking.diba.de. (33) 18:55:28.198167 IP 192.168.178.1.53 > 192.168.178.22.32807: 1568 2/0/0 A 212.255.122.43, (65) Shouldn't the same FQDN lead to the same IP? But when I try my ISP's DNS I got the same behaviour but only 30% of the queries/replies. BTW, I also tried FireFox. There is only one query and one reply. Created an attachment (id=10214) missing ssl.png
Konqueror is now working exactly as intended.
On Sunday 20 March 2005 20:02, Thiago Macieira wrote: > Konqueror is now working exactly as intended. Yes, thanks for your efforts, but I'm looking forward to KDE 4, when there is only one DNS query :-) BTW, I solved the SSL issue. The site was secured with 56 bit key for me and complained about missing 128 bit encryption. I disabled all 56 bit encryptions and the site works :-) Even after I reenabled all 56 bit encryptions. TODO: get my router's DNS working.
Closing as fixed. See the commit on comment #14. We will consider adding banking.diba.de to the IPv6 blacklist.
When I say "closing as fixed", do as I said :-)
Andre: patch /etc/nscd.conf to cache host entries and you're done :)
On Thursday 24 March 2005 13:25, Stephan Kulow wrote: > Andre: patch /etc/nscd.conf to cache host entries and you're > done :) Thanks for your tip I already thought about it but AFAIK the use for DNS isn't recommended. Nevertheless I tried it but it doesn't seem to work for this site :-( (tcpdump -pn port 53 displays DNS queries every time I visit the site). André