Open minfrin opened 1 year ago
istenrot
commented
1 year ago Let's verify Unbound IPv6 is enabled. Plese run this command and make sure it returns "yes":
unbound-checkconf -o do-ip6
You may also want to set prefer-ip6 to yes in unbound.conf
minfrin
commented
1 year ago The problem here isn't that do-ip6 is returning yes, the problem is that do-ip4 is returning yes:
[root@seawitch ~]# unbound-checkconf -o do-ip6
yes
[root@seawitch ~]# unbound-checkconf -o do-ip4
yesIs there a way to disable ipv4 completely?
chantra
commented
1 year ago mirrors.rockylinux.org. 300 IN CNAME dualstack.dl.map.rockylinux.org.
dualstack.dl.map.rockylinux.org. 300 IN CNAME rockylinux.map.fastly.net.You have a v6-only host which tries to resolve a name which is served by a v4-only DNS server (ns{1,2,3,4}.fastly.net). Does your v6-only host have v4 connectivity through NAT64? If not, it won't be able to reach any servers responsible for rockylinux.map.fastly.net and will hence return SERVFAIL.
If your network has NAT64, you can probably work around that using DNS64: https://nlnetlabs.nl/documentation/unbound/unbound.conf/#dns64-prefix
agowa
commented
1 year ago I ran into this error too. I've DNS64 enabled, and the host is ipv6-only. It appears that the DNS64 module generates its own lookups but doesn't convert the IPv4 address of sticky records into the NAT64 address properly.
Steps to reproduce:
de-nserver.de (any ipv4-only domain with ipv4-only nameservers that are served through sticky records on the same domain, aka. from ns1.example.com for example.com)Not working:
de-nserver.dedl-cdn.alpinelinux.org (because of fastly.net in the resolve chain, which has ns1.fastly.net, ns2.fastly.net, ns3.fastly.net and ns4.fastly.net as NS-Record, and none of them has an IPv6 address)agowa
commented
1 year ago Relates to #721 and #722
Describe the bug
Resolving names on an IPv6-only host returns SERVFAIL as follows.
To reproduce Steps to reproduce the behavior:
Expected behavior
A query for mirrors.rockylinux.org succeeds.
System:
unbound -Voutput:[root@arnie ~]# unbound -V Version 1.16.2
Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range --disable-sha1 Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
Logs show that unbound is attempting to make A requests to resolve upstream DNS, which on an IPv6 only host will fail by definition.
Is this a missing setting somewhere, or does unbound not support IPv6 only hosts?