Re: DNS resolution issue for security-cdn.debian.org
Laurent Pelecq:
> Hello,
>
Hi Laurent,
Thanks for reporting this. I am forwarding your email to
debian-admin@l.d.o.
(Leaving the original mail in full quote below for DSA)
Thanks,
~Niels
> On an IPv6-only host using unbound, it is not possible to resolve the
> IP address of security-cdn.debian.org. It works for www.debian.org.
>
> Apparently the difference is that there is a cycle in the dependencies
> of the name servers. At the end, the resolver tries to resolve
> dns1.nic.at that has no IPv6 address.
>
> Here is an extract of unbound logs:
>
> info: resolving security-cdn.debian.org. AAAA IN
> info: new target sec1.rcode0.net. AAAA IN
> info: new target sec2.rcode0.net. AAAA IN
> info: resolving sec1.rcode0.net. AAAA IN
> info: resolving sec2.rcode0.net. AAAA IN
> info: new target dns1.nic.at. AAAA IN
> info: resolving dns1.nic.at. AAAA IN
> info: new target ns3.fastly.net. AAAA IN
> info: new target ns2.fastly.net. AAAA IN
> info: new target ns1.fastly.net. AAAA IN
> info: resolving ns2.fastly.net. AAAA IN
> info: skipping target due to dependency cycle (harden-glue: no may fix some of the cycles) ns2.fastly.net. A IN
> ...
> info: skipping target due to dependency cycle ns3.fastly.net. AAAA IN
> info: new target dns1.nic.at. AAAA IN info: resolving dns1.nic.at. AAAA IN
> ...
> debug: out of query targets -- returning SERVFAIL
>
> For www.debian.org, the resolution is straightforward.
>
> info: resolving www.debian.org. AAAA IN
> info: new target geo1.debian.org. AAAA IN
> info: resolving geo1.debian.org. AAAA IN
> info: resolving debian.org. DNSKEY IN
> info: resolving www.debian.org. DNSKEY IN
> info: query response was ANSWER
>
> Regards,
>
> Laurent
>
Reply to: