On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>
>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>
>>> From what you've shown I can only assume the auth servers are broken
>> and probably refusing to respond for A (rather than an empty NOERROR
>> response).
>
> I agree, that is probably the root cause.
>
> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>
> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
I think it's generally been fairly common to regard a fqdn (or a fqdn
+ server combination) as failing if any RRset for that fqdn fails with
certain errors.
Certainly there have been problems in the past where a client has made
an AAAA request, the recursive NS has received no response (usually in
this case because the site was using one of the common load-balancing
auth servers that were broken in this way) and negatively cached this
against the fqdn, then a followup A request has failed.
>> AAAA-only is a somewhat rare case and IPv6 has only been supported in
>> DNS since 2008 or so, it takes time to get the bugs worked out
>> especially in custom DNS software like is probably used for a dynamic
>> dns zone.
>
> Yes, a mere 18 years is rather new ;-)
;)
>> If you show the real hostname, maybe someone can figure it out in
>> more detail.
>
> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
> test.fwml42.v6.rocks
>
> $ dig +short test.fwml42.v6.rocks aaaa
> 2001:db8::dead:beaf
> $ host test.fwml42.v6.rocks
> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
Well that's interesting.
Querying any of the auth servers directly with host or dig, I do get
what looks like a sensible response to A queries
$ host test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases:
test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
$ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases:
test.fwml42.v6.rocks has no A record
Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
From unbound (1.18.0) I get various of these,
unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
I see this in changelog for 1.19.0 -
Fix #946: Forwarder returns servfail on upstream response noerror no data.
- the problem this fixes was introduced in 1.18.0 - this doesn't
look from the description like it should be directly relevant (as no
forwarder is involved), but it seems quite a similar situation.
#946 is https://github.com/NLnetLabs/unbound/issues/946
--
Please keep replies on the mailing list.
No comments:
Post a Comment