Re: DNS resolution issue for security-cdn.debian.org

[Niels Thykier <niels@thykier.net>]

Laurent Pelecq:
> Hello,
> 

Hi Laurent,

Thanks for reporting this.  I am forwarding your email to
debian-admin@l.d.o.

(Leaving the original mail in full quote below for DSA)

Thanks,
~Niels

> On an IPv6-only host using unbound, it is not possible to resolve the
> IP address of security-cdn.debian.org. It works for www.debian.org.
> 
> Apparently the difference is that there is a cycle in the dependencies
> of the name servers. At the end, the resolver tries to resolve
> dns1.nic.at that has no IPv6 address.
> 
> Here is an extract of unbound logs:
> 
>     info: resolving security-cdn.debian.org. AAAA IN
>     info: new target sec1.rcode0.net. AAAA IN
>     info: new target sec2.rcode0.net. AAAA IN
>     info: resolving sec1.rcode0.net. AAAA IN
>     info: resolving sec2.rcode0.net. AAAA IN
>     info: new target dns1.nic.at. AAAA IN
>     info: resolving dns1.nic.at. AAAA IN
>     info: new target ns3.fastly.net. AAAA IN
>     info: new target ns2.fastly.net. AAAA IN
>     info: new target ns1.fastly.net. AAAA IN
>     info: resolving ns2.fastly.net. AAAA IN
>     info: skipping target due to dependency cycle (harden-glue: no may fix some of the cycles) ns2.fastly.net. A IN
>     ...
>     info: skipping target due to dependency cycle ns3.fastly.net. AAAA IN
>     info: new target dns1.nic.at. AAAA IN info: resolving dns1.nic.at. AAAA IN
>     ...
>     debug: out of query targets -- returning SERVFAIL
> 
> For www.debian.org, the resolution is straightforward.
> 
>     info: resolving www.debian.org. AAAA IN
>     info: new target geo1.debian.org. AAAA IN
>     info: resolving geo1.debian.org. AAAA IN
>     info: resolving debian.org. DNSKEY IN
>     info: resolving www.debian.org. DNSKEY IN
>     info: query response was ANSWER
> 
> Regards,
> 
> Laurent
>