Friday, September 20, 2024

Re: unbound(8) + host(1) + AAAA-only issue

On 2024 Sep 20 (Fri) at 12:45:08 +0200 (+0200), Mike Fischer wrote:
:
:> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
:>
:>> From what you've shown I can only assume the auth servers are broken
:> and probably refusing to respond for A (rather than an empty NOERROR
:> response).
:
:I agree, that is probably the root cause.
:
:So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
:
:Note: I tried looking at the source code of host(1) but I can't figure out how it works.
:
:
:> AAAA-only is a somewhat rare case and IPv6 has only been supported in
:> DNS since 2008 or so, it takes time to get the bugs worked out
:> especially in custom DNS software like is probably used for a dynamic
:> dns zone.
:
:Yes, a mere 18 years is rather new ;-)
:
:
:> If you show the real hostname, maybe someone can figure it out in
:> more detail.
:
:This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
:test.fwml42.v6.rocks
:
:$ dig +short test.fwml42.v6.rocks aaaa
:2001:db8::dead:beaf
:$ host test.fwml42.v6.rocks
:Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
:$
:

I also have a real hostname that only has IPv6 but it works fine for me
with host and dig. v6.bsd.network, and jane.theapt.org. Feel free to
look at how the servers reply for comparision.

I run one of the auth nameservers with nsd, and the other two are ran by
some friends also using open source auth servers.


:
:Thanks!
:Mike
:
:>
:>
:> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
:>> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
:>>
:>> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
:>> $ cat /etc/resolv.conf nameserver 127.0.0.1
:>> lookup file bind
:>> $
:>>
:>> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
:>>
:>> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
:>>
:>> Results:
:>> $ host test.example.dynv6.net
:>> Host test.example.dynv6.net not found: 2(SERVFAIL)
:>> $
:>>
:>> $ dig +short test.example.dynv6.net aaaa
:>> 2001:db8::dead:beaf
:>> $
:>>
:>> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
:>>
:>> Both host(1) and dig(1) should be using the local unbound(8).
:>>
:>> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
:>>
:>> How can I debug this to find the root cause?
:>>
:>>
:>> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
:>> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
:>> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
:>>
:>> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
:>>
:>>
:>> Thanks!
:>> Mike
:>>
:>
:>
:> --
:> Please keep replies on the mailing list.
:>
:
:

--
It has just been discovered that research causes cancer in rats.

No comments:

Post a Comment