Open minfrin opened 1 year ago
Let's verify Unbound IPv6 is enabled. Plese run this command and make sure it returns "yes":
unbound-checkconf -o do-ip6
You may also want to set prefer-ip6
to yes
in unbound.conf
The problem here isn't that do-ip6 is returning yes, the problem is that do-ip4 is returning yes:
[root@seawitch ~]# unbound-checkconf -o do-ip6
yes
[root@seawitch ~]# unbound-checkconf -o do-ip4
yes
Is there a way to disable ipv4 completely?
mirrors.rockylinux.org. 300 IN CNAME dualstack.dl.map.rockylinux.org.
dualstack.dl.map.rockylinux.org. 300 IN CNAME rockylinux.map.fastly.net.
You have a v6-only host which tries to resolve a name which is served by a v4-only DNS server (ns{1,2,3,4}.fastly.net). Does your v6-only host have v4 connectivity through NAT64? If not, it won't be able to reach any servers responsible for rockylinux.map.fastly.net and will hence return SERVFAIL.
If your network has NAT64, you can probably work around that using DNS64: https://nlnetlabs.nl/documentation/unbound/unbound.conf/#dns64-prefix
I ran into this error too. I've DNS64 enabled, and the host is ipv6-only. It appears that the DNS64 module generates its own lookups but doesn't convert the IPv4 address of sticky records into the NAT64 address properly.
Steps to reproduce:
de-nserver.de
(any ipv4-only domain with ipv4-only nameservers that are served through sticky records on the same domain, aka. from ns1.example.com for example.com)Not working:
de-nserver.de
dl-cdn.alpinelinux.org
(because of fastly.net
in the resolve chain, which has ns1.fastly.net
, ns2.fastly.net
, ns3.fastly.net
and ns4.fastly.net
as NS-Record, and none of them has an IPv6 address)Relates to #721 and #722
Describe the bug
Resolving names on an IPv6-only host returns SERVFAIL as follows.
To reproduce Steps to reproduce the behavior:
Expected behavior
A query for mirrors.rockylinux.org succeeds.
System:
unbound -V
output:[root@arnie ~]# unbound -V Version 1.16.2
Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range --disable-sha1 Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
Logs show that unbound is attempting to make A requests to resolve upstream DNS, which on an IPv6 only host will fail by definition.
Is this a missing setting somewhere, or does unbound not support IPv6 only hosts?