> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.li...@spacehopper.org>: > >> From what you've shown I can only assume the auth servers are broken > and probably refusing to respond for A (rather than an empty NOERROR > response).
I agree, that is probably the root cause. So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)? Note: I tried looking at the source code of host(1) but I can’t figure out how it works. > AAAA-only is a somewhat rare case and IPv6 has only been supported in > DNS since 2008 or so, it takes time to get the bugs worked out > especially in custom DNS software like is probably used for a dynamic > dns zone. Yes, a mere 18 years is rather new ;-) > If you show the real hostname, maybe someone can figure it out in > more detail. This is an example hostname I created at dynv6.com for the purpose of figuring out this issue: test.fwml42.v6.rocks $ dig +short test.fwml42.v6.rocks aaaa 2001:db8::dead:beaf $ host test.fwml42.v6.rocks Host test.fwml42.v6.rocks not found: 2(SERVFAIL) $ Thanks! Mike > > > On 2024-09-20, Mike Fischer <fischer+o...@lavielle.com> wrote: >> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems: >> >> The servers are running a local unbound(8) and /etc/resolv.conf is >> configured to use 127.0.0.1. >> $ cat /etc/resolv.conf >> nameserver 127.0.0.1 >> lookup file bind >> $ >> >> /var/unbound/etc/unbound.conf is almost default. Only the listening >> addresses and access limitations have been modified. Name resolution >> generally works fine on the hosts. >> >> I have a DNS hostname, call it test.example.dynv6.net, for which only an >> AAAA record exists. The authoritative name servers don’t use DNSSEC. >> >> Results: >> $ host test.example.dynv6.net >> Host test.example.dynv6.net not found: 2(SERVFAIL) >> $ >> >> $ dig +short test.example.dynv6.net aaaa >> 2001:db8::dead:beaf >> $ >> >> But for a different hostname (on a different domain, different nameservers, >> again with only an AAAA record, no A record, no DNSSEC), host(1) returns the >> IPv6 address as expected. >> >> Both host(1) and dig(1) should be using the local unbound(8). >> >> So why isn’t host(1) showing the IPv6 address for test.example.dynv6.net? Is >> this a bug in host(1) or am I doing something wrong? >> >> How can I debug this to find the root cause? >> >> >> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and >> /var/log/daemon shows entries such as these, when the problem happens: >> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL >> <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone >> dynv6.net. from 95.216.144.82 nodata answer >> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL >> <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone >> dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer >> >> So the problem seems to happen when host(1) tries to resolve the IPv4 >> address. Apparently once it fails it does not try to resolve the IPv6 >> address? >> >> >> Thanks! >> Mike >> > > > -- > Please keep replies on the mailing list. >