Re: ntpd tries to connect via ipv6

2016-06-01 Thread Liviu Daia 
On 31 May 2016, Lyndon Nerenberg  wrote:
> > On May 31, 2016, at 3:58 PM, Ted Unangst 
> > wrote:
> >
> > If we're talking about timeframes long enough for network
> > connectivity to come and go, that's long enough for IP addresses to
> > come and go as well.
>
> This is an interesting problem, in general.
>
> In my MTA development days, we would cache the targets of the MX
> record(s) we found in queued message's metadata.  For each host
> target, we included the absolute time the data would expire, based on
> the original MX lookup.  Expired records were ignored, and when we ran
> out of hosts we would re-run the MX lookup and update the meta-data.
> This worked quite well, considering the underlying DNS data didn't
> change all that often.  But SMTP sessions are not long-lived, so this
> just worked.
>
> These days I wish I had similar functionality in pf.  And not for
> mobile hosts.  E.g., at work we need to open up access to things like
> Paypal payment API hosts.  For those rules we can either hardwire IP
> addresses, or use their hostnames.  But they inevitably move their API
> hosts around.  In the first case, our list of hardwired IP addresses
> gets stale.  In the second, the addresses returned by the A(AAA)
> record lookup gets stale.  I would really like to be able to say
> "build the rule from this hostname, but refresh the A(AAA) record
> results as the underlying data's TTL expires."
>
> pf isn't special - this is the same problem as the ntpd example.  I've
> puzzled over how to deal with this, but I can't see a solution that
> doesn't involve some sort of proxy that isolates the process from the
> network changes.  And even then, you're dealing with at least a TCP
> connection reset if an existing address vanishes.  For some things,
> that's not an issue.  For others, ... ?

For pf there's an easy solution: put the IP in a persistent table,
and have a cron job resolve the name and update the table when the IP
changes.  Obviously this only works with rules that can take tables to
begin with, but that's good enough in many situations.

Regards,

Liviu Daia

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Lyndon Nerenberg 
> On May 31, 2016, at 3:58 PM, Ted Unangst  wrote:
>
> If we're talking about timeframes long enough for network connectivity to
come
> and go, that's long enough for IP addresses to come and go as well.

This is an interesting problem, in general.

In my MTA development days, we would cache the targets of the MX record(s) we
found in queued message's metadata.  For each host target, we included the
absolute time the data would expire, based on the original MX lookup.  Expired
records were ignored, and when we ran out of hosts we would re-run the MX
lookup and update the meta-data.  This worked quite well, considering the
underlying DNS data didn't change all that often.  But SMTP sessions are not
long-lived, so this just worked.

These days I wish I had similar functionality in pf.  And not for mobile
hosts.  E.g., at work we need to open up access to things like Paypal payment
API hosts.  For those rules we can either hardwire IP addresses, or use their
hostnames.  But they inevitably move their API hosts around.  In the first
case, our list of hardwired IP addresses gets stale.  In the second, the
addresses returned by the A(AAA) record lookup gets stale.  I would really
like to be able to say "build the rule from this hostname, but refresh the
A(AAA) record results as the underlying data's TTL expires."

pf isn't special - this is the same problem as the ntpd example.  I've puzzled
over how to deal with this, but I can't see a solution that doesn't involve
some sort of proxy that isolates the process from the network changes.  And
even then, you're dealing with at least a TCP connection reset if an existing
address vanishes.  For some things, that's not an issue.  For others, ... ?

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Ted Unangst 
Carlin Bingham wrote:
> On Tue, May 31, 2016 at 01:45:23PM -0400, Ted Unangst wrote:
> > Jeremie Courreges-Anglas wrote:
> > > ntpd(8) doesn't use getaddrinfo+AI_ADDRCONFIG, which is supposed to skip
> > > DNS requests for IPv6 if the machine doesn't have IPv6 addresses
> > > configured.
> > 
> > reyk added a comment to that effect, but I don't know why.
> > 
> > /* ntpd MUST NOT use AI_ADDRCONFIG here */
> > error = getaddrinfo(s, NULL, &hints, &res0);
> > 
> 
> ipv6 might become available after startup:
> https://marc.info/?l=openbsd-tech&m=142370671523470&w=2

>> the availability of IPv6 at startup does
not necessarily mean that it will not be available later.  ntpd is a
long-running process that is also used on laptops etc. that move
between networks but ntpd keeps on running.

This of course leads to a second question. What if, while that long running
ntpd is running, the hostname to IP mapping changes? Does it continue probing
the wrong IP?

If we're talking about timeframes long enough for network connectivity to come
and go, that's long enough for IP addresses to come and go as well.

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Carlin Bingham 
On Tue, May 31, 2016 at 01:45:23PM -0400, Ted Unangst wrote:
> Jeremie Courreges-Anglas wrote:
> > ntpd(8) doesn't use getaddrinfo+AI_ADDRCONFIG, which is supposed to skip
> > DNS requests for IPv6 if the machine doesn't have IPv6 addresses
> > configured.
> 
> reyk added a comment to that effect, but I don't know why.
> 
>   /* ntpd MUST NOT use AI_ADDRCONFIG here */
>   error = getaddrinfo(s, NULL, &hints, &res0);
> 

ipv6 might become available after startup:
https://marc.info/?l=openbsd-tech&m=142370671523470&w=2


--
Carlin

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Sonic 
On Tue, May 31, 2016 at 1:04 PM, Stefan Wollny  wrote:
> I asked this just last week.

Indeed! Sorry I missed it.

Thanks all!

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Evgeniy Sudyr 
Sonic,

I can confirm same issue on -current when ntpd tries to use 
record to resolve constraints IP address.

Can you check and confirm if you don't have IPv6 address :)

I guess you should have at least link-local and loopback IPv6 addresses :)

ifconfig  | grep inet6
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3


# cat /etc/ntpd.conf
# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $
#
# See ntpd.conf(5) and /etc/examples/ntpd.conf
#servers pool.ntp.org
#sensor *
constraints from "https://www.google.com";

# ntpd -d -s -v
ntp engine ready
set local clock to Tue May 31 20:51:36 EEST 2016 (offset 0.00s)
tls connect failed: 2a00:1450:401b:801::2004 (www.google.com):
connect: No route to host
no constraint reply from 2a00:1450:401b:801::2004 received in time,
next query 900s
constraint reply from 173.194.113.211: offset -0.803262

On Tue, May 31, 2016 at 6:36 PM, Sonic  wrote:
> Getting many such log entries:
> ===
> May 31 08:53:34 stargate ntpd[5702]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:08:35 stargate ntpd[15803]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:23:36 stargate ntpd[92515]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> ===
>
> ntpd.conf has the line: constraints from "https://www.google.com";
>
> System has no ipv6 addresses. Unbound is resolving DNS server with "do-ip6: 
> no".
>
> resolv.conf uses "nameserver 127.0.0.1" (Unbound serving on this address)
>
> normal lookups (dig) only return the ipv4 address for www.google.com
>
> Why does ntpd attempt to connect on an ipv6 address?
>
> Thanks,
>
> Chris
>



-- 
--
With regards,
Eugene Sudyr

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Ted Unangst 
Jeremie Courreges-Anglas wrote:
> ntpd(8) doesn't use getaddrinfo+AI_ADDRCONFIG, which is supposed to skip
> DNS requests for IPv6 if the machine doesn't have IPv6 addresses
> configured.

reyk added a comment to that effect, but I don't know why.

/* ntpd MUST NOT use AI_ADDRCONFIG here */
error = getaddrinfo(s, NULL, &hints, &res0);

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Stefan Wollny 
Am 05/31/16 um 18:36 schrieb Sonic:
> Getting many such log entries:
> ===
> May 31 08:53:34 stargate ntpd[5702]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:08:35 stargate ntpd[15803]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:23:36 stargate ntpd[92515]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> ===
> 
> ntpd.conf has the line: constraints from "https://www.google.com";
> 
> System has no ipv6 addresses. Unbound is resolving DNS server with "do-ip6: 
> no".
> 
> resolv.conf uses "nameserver 127.0.0.1" (Unbound serving on this address)
> 
> normal lookups (dig) only return the ipv4 address for www.google.com
> 
> Why does ntpd attempt to connect on an ipv6 address?
> 
> Thanks,
> 
> Chris
> 
I asked this just last week. Carlin Bingham's answer solved the issue
for me (http://article.gmane.org/gmane.os.openbsd.misc/231185):


In /etc/resolv.conf, add:

family inet4

(Well: I actually added it in /etc/resolv.conf.tail ...)
Best,
STEFAN

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Mihai Popescu 
http://marc.info/?l=openbsd-misc&m=146401377026646&w=2

ntpd tries to connect via ipv6

2016-05-31 Thread Sonic 
Getting many such log entries:
===
May 31 08:53:34 stargate ntpd[5702]: tls connect failed:
2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
May 31 09:08:35 stargate ntpd[15803]: tls connect failed:
2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
May 31 09:23:36 stargate ntpd[92515]: tls connect failed:
2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
===

ntpd.conf has the line: constraints from "https://www.google.com";

System has no ipv6 addresses. Unbound is resolving DNS server with "do-ip6: no".

resolv.conf uses "nameserver 127.0.0.1" (Unbound serving on this address)

normal lookups (dig) only return the ipv4 address for www.google.com

Why does ntpd attempt to connect on an ipv6 address?

Thanks,

Chris

Re: ntpd tries to connect via ipv6

2016-05-31 Thread Jeremie Courreges-Anglas 
Sonic  writes:

> Getting many such log entries:
> ===
> May 31 08:53:34 stargate ntpd[5702]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:08:35 stargate ntpd[15803]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> May 31 09:23:36 stargate ntpd[92515]: tls connect failed:
> 2607:f8b0:4009:808::2004 (www.google.com): connect: No route to host
> ===
>
> ntpd.conf has the line: constraints from "https://www.google.com";
>
> System has no ipv6 addresses. Unbound is resolving DNS server with "do-ip6: 
> no".
>
> resolv.conf uses "nameserver 127.0.0.1" (Unbound serving on this address)
>
> normal lookups (dig) only return the ipv4 address for www.google.com
>
> Why does ntpd attempt to connect on an ipv6 address?

ntpd(8) doesn't use getaddrinfo+AI_ADDRCONFIG, which is supposed to skip
DNS requests for IPv6 if the machine doesn't have IPv6 addresses
configured.

An IPv4 connectivity problem may lead ntpd to fall back to trying IPv6.
See the resolv.conf(5) "family" keyword for a way to disable IPv6 DNS
requests.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE