DNS resolution issue for security-cdn.debian.org
Hello,
On an IPv6-only host using unbound, it is not possible to resolve the
IP address of security-cdn.debian.org. It works for www.debian.org.
Apparently the difference is that there is a cycle in the dependencies
of the name servers. At the end, the resolver tries to resolve
dns1.nic.at that has no IPv6 address.
Here is an extract of unbound logs:
info: resolving security-cdn.debian.org. AAAA IN
info: new target sec1.rcode0.net. AAAA IN
info: new target sec2.rcode0.net. AAAA IN
info: resolving sec1.rcode0.net. AAAA IN
info: resolving sec2.rcode0.net. AAAA IN
info: new target dns1.nic.at. AAAA IN
info: resolving dns1.nic.at. AAAA IN
info: new target ns3.fastly.net. AAAA IN
info: new target ns2.fastly.net. AAAA IN
info: new target ns1.fastly.net. AAAA IN
info: resolving ns2.fastly.net. AAAA IN
info: skipping target due to dependency cycle (harden-glue: no may fix some of the cycles) ns2.fastly.net. A IN
...
info: skipping target due to dependency cycle ns3.fastly.net. AAAA IN
info: new target dns1.nic.at. AAAA IN info: resolving dns1.nic.at. AAAA IN
...
debug: out of query targets -- returning SERVFAIL
For www.debian.org, the resolution is straightforward.
info: resolving www.debian.org. AAAA IN
info: new target geo1.debian.org. AAAA IN
info: resolving geo1.debian.org. AAAA IN
info: resolving debian.org. DNSKEY IN
info: resolving www.debian.org. DNSKEY IN
info: query response was ANSWER
Regards,
Laurent
Reply to: