Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault contacts DNS to get SRV record if port number does not appear in https VAULT_ADDR #5540

Closed
tatsuhiro-t opened this issue Oct 18, 2018 · 3 comments · Fixed by #8016
Closed

Vault contacts DNS to get SRV record if port number does not appear in https VAULT_ADDR #5540

tatsuhiro-t opened this issue Oct 18, 2018 · 3 comments · Fixed by #8016
Labels
bug Used to indicate a potential bug core/api

Comments

@tatsuhiro-t
Copy link

Describe the bug

The default port number of https scheme is 443. But Vault tries to contact DNS SRV record if the port is missing in https URI.

vault/api/client.go

Lines 591 to 600 in 18deb2d

// if SRV records exist (see https://tools.ietf.org/html/draft-andrews-http-srv-02), lookup the SRV
// record and take the highest match; this is not designed for high-availability, just discovery
var host string = addr.Host
if addr.Port() == "" {
// Internet Draft specifies that the SRV record is ignored if a port is given
_, addrs, err := net.LookupSRV("http", "tcp", addr.Hostname())
if err == nil && len(addrs) > 0 {
host = fmt.Sprintf("%s:%d", addrs[0].Target, addrs[0].Port)
}
}

Note that Go net/url.Parse leaves Port to empty string if port number is missing even if scheme is well known (e.g., https or http).

Because of this, Vault hammers DNS each time it connects to server. To workaround it, we have to specify port number explicitly just like https://example.com:443. But we usually omit the port number if it is the default one.

Because we know that the default https port number is 443 (see https://tools.ietf.org/html/rfc7230#section-2.7.2), it is not necessary to contact DNS to get SRV record. Instead it would be very nice for Vault to resolve default port number by itself without contacting DNS just like Go HTTP client does:

var portMap = map[string]string{
	"http":   "80",
	"https":  "443",
	"socks5": "1080",
}

// canonicalAddr returns url.Host but always with a ":port" suffix
func canonicalAddr(url *url.URL) string {
	addr := url.Hostname()
	if v, err := idnaASCII(addr); err == nil {
		addr = v
	}
	port := url.Port()
	if port == "" {
		port = portMap[url.Scheme]
	}
	return net.JoinHostPort(addr, port)
}

To Reproduce

  1. Run Vault on default https port
  2. Write/read something to Vault using VAULT_ADDR without port number specified in it.
  3. Check packet dump to DNS and see that SRV lookup is done.

Expected behavior

Vault should not contact DNS if URI scheme is well known (https or http) and port number is missing in URI, and instead just use default port number.

Environment:

  • Vault Server Version (retrieve with vault status):
  • Vault CLI Version (retrieve with vault version): Vault v0.11.3 ('fb601237bfbe4bc16ff679f642248ee8a86e627b')
  • Server Operating System/Architecture:

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.
@savealive
Copy link

As workaround it's possible to add the following SRV record

_http._tcp.vault.example.com.  1 1 443 vault.example.com.

It speeds vault calls up by few times.

@dgozalo
Copy link
Contributor

dgozalo commented Oct 3, 2019

This one seems to be quite old, but I'm having exactly the same problem, increasing request times dramatically, is there any fix planned for this?

@catsby catsby added bug Used to indicate a potential bug core/api labels Nov 12, 2019
@catsby
Copy link
Contributor

catsby commented Nov 12, 2019

Related issue: #5525

@michelvocks michelvocks mentioned this issue Dec 13, 2019
Merged
petems added a commit to petems/terraform-provider-vault that referenced this issue Jul 15, 2020
@petems
Update Vault dependancy to pull in client fixes
48d1bb6 
* Resolved SRV issue hashicorp/vault#5540
* Closes hashicorp#805
@petems petems mentioned this issue Jul 15, 2020
Closed
@hoegaarden hoegaarden mentioned this issue Apr 29, 2022
Closed
@mjhuber mjhuber mentioned this issue Aug 23, 2022
Closed
abh added a commit to ntppool/monitor that referenced this issue Jun 3, 2023
@abh
Disable Vault SRV Lookup
72560cd 
(rather than going through the options for high availability, the SRV
lookup just replaced the hostname that it connects to. Worse the SRV
lookup is done on every request, ignoring the connection cache?)

hashicorp/vault#5540
hashicorp/vault-client-go#183
@maxb maxb mentioned this issue Jul 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/api
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix SRV record lookup if address scheme is known hashicorp/vault
4 participants
@catsby @tatsuhiro-t @savealive @dgozalo