On 2024-09-20, Stuart Henderson <stu.lists@spacehopper.org> wrote:
> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>>
>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>>
>>>> From what you've shown I can only assume the auth servers are broken
>>> and probably refusing to respond for A (rather than an empty NOERROR
>>> response).
>>
>> I agree, that is probably the root cause.
>>
>> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>>
>> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>
> I think it's generally been fairly common to regard a fqdn (or a fqdn
> + server combination) as failing if any RRset for that fqdn fails with
> certain errors.
>
> Certainly there have been problems in the past where a client has made
> an AAAA request, the recursive NS has received no response (usually in
> this case because the site was using one of the common load-balancing
> auth servers that were broken in this way) and negatively cached this
> against the fqdn, then a followup A request has failed.
>
>>> AAAA-only is a somewhat rare case and IPv6 has only been supported in
>>> DNS since 2008 or so, it takes time to get the bugs worked out
>>> especially in custom DNS software like is probably used for a dynamic
>>> dns zone.
>>
>> Yes, a mere 18 years is rather new ;-)
>
> ;)
>
>>> If you show the real hostname, maybe someone can figure it out in
>>> more detail.
>>
>> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
>> test.fwml42.v6.rocks
>>
>> $ dig +short test.fwml42.v6.rocks aaaa
>> 2001:db8::dead:beaf
>> $ host test.fwml42.v6.rocks
>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>
> Well that's interesting.
>
> Querying any of the auth servers directly with host or dig, I do get
> what looks like a sensible response to A queries
Same with base and package versions of host(1), FWIW.
> $ host test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
> $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has no A record
>
> Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
> From unbound (1.18.0) I get various of these,
>
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
> unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
>
> I see this in changelog for 1.19.0 -
>
> Fix #946: Forwarder returns servfail on upstream response noerror no data.
>
> - the problem this fixes was introduced in 1.18.0 - this doesn't
> look from the description like it should be directly relevant (as no
> forwarder is involved), but it seems quite a similar situation.
> #946 is https://github.com/NLnetLabs/unbound/issues/946
Hmm, and also going up a level to this which has both A and AAAA:
$ host fwml42.v6.rocks.
fwml42.v6.rocks has address 79.226.210.86
fwml42.v6.rocks has IPv6 address 2003:e4:f33:1d00:30ab:221d:6b6d:7d96
Host fwml42.v6.rocks not found: 2(SERVFAIL)
with this logged:
unbound: [93237:0] error: SERVFAIL <fwml42.v6.rocks. MX IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f8:1c1c:4c96:: nodata answer
--
Please keep replies on the mailing list.
No comments:
Post a Comment