TXT RR (node metadata) returned for A query of a service in the Answer section (with enable_additional_node_meta_txt set to false)

[scalp42]

Hi folks,

The new flag added in #4215 doesn't appear to work as expected using Consul 1.2.0 (only version supported).

Consul config:

{
  "bind_addr": "10.42.203.32",
  "bootstrap_expect": 3,
  "client_addr": "0.0.0.0",
  "data_dir": "/var/lib/consul",
  "datacenter": "us-west-2-infra1",
  "disable_host_node_id": false,
  "disable_remote_exec": true,
  "dns_config": {
    "allow_stale": true,
    "max_stale": "87600h",
    "node_ttl": "0s",
    "service_ttl": {
      "*": "0s"
    },
    "enable_truncate": false,
    "enable_additional_node_meta_txt": false,
    "only_passing": false
  },
  "enable_debug": false,
  "enable_script_checks": true,
  "enable_syslog": false,
  "encrypt": "1hicXPQcQzRYd3vaUjaXkQ==",
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true,
  "leave_on_terminate": false,
  "log_level": "DEBUG",
  "node_meta": {
    "instance_type": "c5.large",
    "local_hostname": "ip-10-42-203-32.us-west-2.compute.internal",
    "local_ipv4": "10.42.203.32",
    "instance_id": "i-0014787bfa3b2491a",
    "region": "us-west-2",
    "availability_zone": "us-west-2a",
    "public_ipv4": "xx.xx.xx.xx",
    "public_hostname": "ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com",
    "chef_environment": "us-west-2-infra1",
    "datacenter": "us-west-2-infra1"
  },
  "node_name": "consul-i-0014787bfa3b2491a-us-west-2-infra1-xxx",
  "ports": {
    "dns": 8600,
    "http": 8500,
    "serf_lan": 8301,
    "serf_wan": 8302,
    "server": 8300
  },
  "recursors": [
    "8.8.8.8",
    "10.42.0.2"
  ],
  "retry_join": [
    "provider=aws tag_key=Name tag_value=infra1-consul region=us-west-2 addr_type=private_v4"
  ],
  "server": true,
  "skip_leave_on_interrupt": true,
  "telemetry": {
    "statsd_address": "127.0.0.1:8125"
  },
  "ui": true
}

The flag enable_additional_node_meta_txt is set to false. This is a small testing cluster of 3 and every node was restarted:

$> consul members
Node                                                         Address             Status  Type    Build  Protocol  DC                Segment
consul-i-0014787bfa3b2491a-us-west-2-infra1-xx  10.42.203.32:8301   alive   server  1.2.0  2         us-west-2-infra1  <all>
consul-i-0762c4d111c7dd469-us-west-2-infra1-xx  10.42.219.254:8301  alive   server  1.2.0  2         us-west-2-infra1  <all>
consul-i-0b15864f1002fa3b9-us-west-2-infra1-xx  10.42.209.144:8301  alive   server  1.2.0  2         us-west-2-infra1  <all>

Dig example:

dig consul.service.consul A +short
10.42.203.32
"instance_type=c5.large"
"local_ipv4=10.42.203.32"
"instance_id=i-0014787bfa3b2491a"
"availability_zone=us-west-2a"
"region=us-west-2"
"consul-network-segment="
"public_hostname=ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com"
"public_ipv4=xx.xx.xx.xx"
"datacenter=us-west-2-infra1"
"chef_environment=us-west-2-infra1"
"local_hostname=ip-10-42-203-32.us-west-2.compute.internal"
10.42.219.254
"consul-network-segment="
"public_ipv4=18.237.141.46"
"datacenter=us-west-2-infra1"
"instance_id=i-0762c4d111c7dd469"
"local_hostname=ip-10-42-219-254.us-west-2.compute.internal"
"public_hostname=ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com"
"local_ipv4=10.42.219.254"
"chef_environment=us-west-2-infra1"
"region=us-west-2"
"availability_zone=us-west-2c"
"instance_type=c5.large"
10.42.209.144
"public_ipv4=xx.xx.xx.xx"
"instance_type=c5.large"
"region=us-west-2"
"instance_id=i-0b15864f1002fa3b9"
"local_hostname=ip-10-42-209-144.us-west-2.compute.internal"
"consul-network-segment="
"datacenter=us-west-2-infra1"
"availability_zone=us-west-2b"
"public_hostname=ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com"
"local_ipv4=10.42.209.144"
"chef_environment=us-west-2-infra1"

Let me know if I'm missing something. I understood that the new flag would disable the TXT extra metadata on A query.

Thanks for the help in advance!

[mkeeler]

@scalp42 The new feature was specifically designed for when those TXT records get returned in the Additional section of a response and in your case they are being returned in the Answer section.

While that feature is behaving as expected you have uncovered another bug in that when querying for an A record you are given back a TXT RR in the answer section. That RR really should belong in the Additional section (and also be filtered with the same setting).

[scalp42]

Thanks for the feedback!

[asmajlovic]

Just wanted to add that I have also seen this issue with AAAA queries in Consul 1.2.0 (hostnames/IPs sanitised):

$ dig @10.1.1.10 myapp.query.consul AAAA

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> @10.1.1.10 myapp.query.consul AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17632
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myapp.query.consul. IN        AAAA

;; ANSWER SECTION:
myapp.query.consul. 5 IN TXT "consul-network-segment="
myapp.query.consul. 5 IN TXT "consul-network-segment="
myapp.query.consul. 5 IN TXT "consul-network-segment="

;; Query time: 6 msec
;; SERVER: 10.1.1.10#53(10.1.1.10)
;; WHEN: Thu Jul 12 11:17:02 UTC 2018
;; MSG SIZE  rcvd: 180