Friday, September 20, 2024

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>
>> From what you've shown I can only assume the auth servers are broken
> and probably refusing to respond for A (rather than an empty NOERROR
> response).

I agree, that is probably the root cause.

So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?

Note: I tried looking at the source code of host(1) but I can't figure out how it works.


> AAAA-only is a somewhat rare case and IPv6 has only been supported in
> DNS since 2008 or so, it takes time to get the bugs worked out
> especially in custom DNS software like is probably used for a dynamic
> dns zone.

Yes, a mere 18 years is rather new ;-)


> If you show the real hostname, maybe someone can figure it out in
> more detail.

This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
test.fwml42.v6.rocks

$ dig +short test.fwml42.v6.rocks aaaa
2001:db8::dead:beaf
$ host test.fwml42.v6.rocks
Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
$


Thanks!
Mike

>
>
> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
>>
>> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
>> $ cat /etc/resolv.conf nameserver 127.0.0.1
>> lookup file bind
>> $
>>
>> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
>>
>> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
>>
>> Results:
>> $ host test.example.dynv6.net
>> Host test.example.dynv6.net not found: 2(SERVFAIL)
>> $
>>
>> $ dig +short test.example.dynv6.net aaaa
>> 2001:db8::dead:beaf
>> $
>>
>> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
>>
>> Both host(1) and dig(1) should be using the local unbound(8).
>>
>> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
>>
>> How can I debug this to find the root cause?
>>
>>
>> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
>> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
>> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
>>
>> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
>>
>>
>> Thanks!
>> Mike
>>
>
>
> --
> Please keep replies on the mailing list.
>

No comments:

Post a Comment