On 2024-09-20, Stuart Henderson <stu.li...@spacehopper.org> wrote: > On 2024-09-20, Mike Fischer <fischer+o...@lavielle.com> wrote: >> >>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.li...@spacehopper.org>: >>> >>>> From what you've shown I can only assume the auth servers are broken >>> and probably refusing to respond for A (rather than an empty NOERROR >>> response). >> >> I agree, that is probably the root cause. >> >> So that would cause host(1) to abort looking for other RRsets? Is that not a >> bug in host(1)? >> >> Note: I tried looking at the source code of host(1) but I can’t figure out >> how it works. > > I think it's generally been fairly common to regard a fqdn (or a fqdn > + server combination) as failing if any RRset for that fqdn fails with > certain errors. > > Certainly there have been problems in the past where a client has made > an AAAA request, the recursive NS has received no response (usually in > this case because the site was using one of the common load-balancing > auth servers that were broken in this way) and negatively cached this > against the fqdn, then a followup A request has failed. > >>> AAAA-only is a somewhat rare case and IPv6 has only been supported in >>> DNS since 2008 or so, it takes time to get the bugs worked out >>> especially in custom DNS software like is probably used for a dynamic >>> dns zone. >> >> Yes, a mere 18 years is rather new ;-) > > ;) > >>> If you show the real hostname, maybe someone can figure it out in >>> more detail. >> >> This is an example hostname I created at dynv6.com for the purpose of >> figuring out this issue: >> test.fwml42.v6.rocks >> >> $ dig +short test.fwml42.v6.rocks aaaa >> 2001:db8::dead:beaf >> $ host test.fwml42.v6.rocks >> Host test.fwml42.v6.rocks not found: 2(SERVFAIL) > > Well that's interesting. > > Querying any of the auth servers directly with host or dig, I do get > what looks like a sensible response to A queries
Same with base and package versions of host(1), FWIW. > $ host test.fwml42.v6.rocks. ns1.dynv6.com. > Using domain server: > Name: ns1.dynv6.com. > Address: 95.216.144.82#53 > Aliases: > > test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf > $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com. > Using domain server: > Name: ns1.dynv6.com. > Address: 95.216.144.82#53 > Aliases: > > test.fwml42.v6.rocks has no A record > > Testing with unbound 1.20.0 or 1.21.0 and there's no problem. > From unbound (1.18.0) I get various of these, > > unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded > the maximum nameserver nxdomains > unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers > for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata > answer > unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers > for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer > > I see this in changelog for 1.19.0 - > > Fix #946: Forwarder returns servfail on upstream response noerror no data. > > - the problem this fixes was introduced in 1.18.0 - this doesn't > look from the description like it should be directly relevant (as no > forwarder is involved), but it seems quite a similar situation. > #946 is https://github.com/NLnetLabs/unbound/issues/946 Hmm, and also going up a level to this which has both A and AAAA: $ host fwml42.v6.rocks. fwml42.v6.rocks has address 79.226.210.86 fwml42.v6.rocks has IPv6 address 2003:e4:f33:1d00:30ab:221d:6b6d:7d96 Host fwml42.v6.rocks not found: 2(SERVFAIL) with this logged: unbound: [93237:0] error: SERVFAIL <fwml42.v6.rocks. MX IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f8:1c1c:4c96:: nodata answer -- Please keep replies on the mailing list.
