Friday, September 20, 2024

Re: unbound(8) + host(1) + AAAA-only issue

From what you've shown I can only assume the auth servers are broken
and probably refusing to respond for A (rather than an empty NOERROR
response).

AAAA-only is a somewhat rare case and IPv6 has only been supported in
DNS since 2008 or so, it takes time to get the bugs worked out
especially in custom DNS software like is probably used for a dynamic
dns zone.

If you show the real hostname, maybe someone can figure it out in
more detail.


On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
>
> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
> $ cat /etc/resolv.conf nameserver 127.0.0.1
> lookup file bind
> $
>
> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
>
> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
>
> Results:
> $ host test.example.dynv6.net
> Host test.example.dynv6.net not found: 2(SERVFAIL)
> $
>
> $ dig +short test.example.dynv6.net aaaa
> 2001:db8::dead:beaf
> $
>
> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
>
> Both host(1) and dig(1) should be using the local unbound(8).
>
> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
>
> How can I debug this to find the root cause?
>
>
> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
>
> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
>
>
> Thanks!
> Mike
>


--
Please keep replies on the mailing list.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)