Friday, September 20, 2024

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 13:13 schrieb Peter Hessler <phessler@theapt.org>:
>
> On 2024 Sep 20 (Fri) at 12:45:08 +0200 (+0200), Mike Fischer wrote:
> :
> :> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
> :>
> :>> From what you've shown I can only assume the auth servers are broken
> :> and probably refusing to respond for A (rather than an empty NOERROR
> :> response).
> :
> :I agree, that is probably the root cause.
> :
> :So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
> :
> :Note: I tried looking at the source code of host(1) but I can't figure out how it works.
> :
> :
> :> AAAA-only is a somewhat rare case and IPv6 has only been supported in
> :> DNS since 2008 or so, it takes time to get the bugs worked out
> :> especially in custom DNS software like is probably used for a dynamic
> :> dns zone.
> :
> :Yes, a mere 18 years is rather new ;-)
> :
> :
> :> If you show the real hostname, maybe someone can figure it out in
> :> more detail.
> :
> :This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
> :test.fwml42.v6.rocks
> :
> :$ dig +short test.fwml42.v6.rocks aaaa
> :2001:db8::dead:beaf
> :$ host test.fwml42.v6.rocks
> :Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
> :$
> :
>
> I also have a real hostname that only has IPv6 but it works fine for me
> with host and dig. v6.bsd.network, and jane.theapt.org. Feel free to
> look at how the servers reply for comparision.
>
> I run one of the auth nameservers with nsd, and the other two are ran by
> some friends also using open source auth servers.

Unfortunately I have no way to influence the dynv6.com service or even know what software they are using.

As I mentioned, another v6-only hostname with completely different domain and nameservers works fine. So the issue is likely triggered by the response of the dynv6.com NS to a request for a non-existing A record.

However my point is that the SERVFAIL response should not cause host(1) to give up on requesting other (AAAA) RRsets.


Mike

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)