infra icon indicating copy to clipboard operation
infra copied to clipboard

Published 20 hours ago verified publisher icon NixOS

IPv6-only recursive resolving of cache.nixos.org broken

Open mweinelt opened this issue 4 years ago • 13 comments

Recursively resolving cache.nixos.org in an IPv6-only setup is impossible, since the fastly.com authoritative nameservers don't provide IPv6 connectivity.

# drill -T cache.nixos.org AAAA
.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
org.	172800	IN	NS	a0.org.afilias-nst.info.
org.	172800	IN	NS	a2.org.afilias-nst.info.
org.	172800	IN	NS	b0.org.afilias-nst.org.
org.	172800	IN	NS	b2.org.afilias-nst.org.
org.	172800	IN	NS	c0.org.afilias-nst.info.
org.	172800	IN	NS	d0.org.afilias-nst.org.
nixos.org.	86400	IN	NS	dns1.p02.nsone.net.
nixos.org.	86400	IN	NS	dns2.p02.nsone.net.
nixos.org.	86400	IN	NS	dns3.p02.nsone.net.
nixos.org.	86400	IN	NS	dns4.p02.nsone.net.
cache.nixos.org.	3600	IN	CNAME	dualstack.v2.shared.global.fastly.net.
net.	172800	IN	NS	b.gtld-servers.net.
net.	172800	IN	NS	k.gtld-servers.net.
net.	172800	IN	NS	c.gtld-servers.net.
net.	172800	IN	NS	i.gtld-servers.net.
net.	172800	IN	NS	a.gtld-servers.net.
net.	172800	IN	NS	g.gtld-servers.net.
net.	172800	IN	NS	l.gtld-servers.net.
net.	172800	IN	NS	e.gtld-servers.net.
net.	172800	IN	NS	d.gtld-servers.net.
net.	172800	IN	NS	h.gtld-servers.net.
net.	172800	IN	NS	j.gtld-servers.net.
net.	172800	IN	NS	m.gtld-servers.net.
net.	172800	IN	NS	f.gtld-servers.net.
fastly.net.	172800	IN	NS	ns1.fastly.net.
fastly.net.	172800	IN	NS	ns2.fastly.net.
fastly.net.	172800	IN	NS	ns3.fastly.net.
fastly.net.	172800	IN	NS	ns4.fastly.net.

Debian, they also host their cache at fastly, have their CNAME set to something below fastlydns.net, which does have full IPv6 connectivity.

# drill -T deb.debian.org AAAA
.	518400	IN	NS	a.root-servers.net.
.	518400	IN	NS	b.root-servers.net.
.	518400	IN	NS	c.root-servers.net.
.	518400	IN	NS	d.root-servers.net.
.	518400	IN	NS	e.root-servers.net.
.	518400	IN	NS	f.root-servers.net.
.	518400	IN	NS	g.root-servers.net.
.	518400	IN	NS	h.root-servers.net.
.	518400	IN	NS	i.root-servers.net.
.	518400	IN	NS	j.root-servers.net.
.	518400	IN	NS	k.root-servers.net.
.	518400	IN	NS	l.root-servers.net.
.	518400	IN	NS	m.root-servers.net.
org.	172800	IN	NS	d0.org.afilias-nst.org.
org.	172800	IN	NS	a0.org.afilias-nst.info.
org.	172800	IN	NS	c0.org.afilias-nst.info.
org.	172800	IN	NS	a2.org.afilias-nst.info.
org.	172800	IN	NS	b0.org.afilias-nst.org.
org.	172800	IN	NS	b2.org.afilias-nst.org.
debian.org.	86400	IN	NS	nsp.dnsnode.net.
debian.org.	86400	IN	NS	dns4.easydns.info.
debian.org.	86400	IN	NS	sec1.rcode0.net.
debian.org.	86400	IN	NS	sec2.rcode0.net.
deb.debian.org.	3600	IN	CNAME	debian.map.fastlydns.net.
net.	172800	IN	NS	a.gtld-servers.net.
net.	172800	IN	NS	b.gtld-servers.net.
net.	172800	IN	NS	c.gtld-servers.net.
net.	172800	IN	NS	d.gtld-servers.net.
net.	172800	IN	NS	e.gtld-servers.net.
net.	172800	IN	NS	f.gtld-servers.net.
net.	172800	IN	NS	g.gtld-servers.net.
net.	172800	IN	NS	h.gtld-servers.net.
net.	172800	IN	NS	i.gtld-servers.net.
net.	172800	IN	NS	j.gtld-servers.net.
net.	172800	IN	NS	k.gtld-servers.net.
net.	172800	IN	NS	l.gtld-servers.net.
net.	172800	IN	NS	m.gtld-servers.net.
fastlydns.net.	172800	IN	NS	ns1.fastlydns.net.
fastlydns.net.	172800	IN	NS	ns2.fastlydns.net.
fastlydns.net.	172800	IN	NS	ns3.fastlydns.net.
fastlydns.net.	172800	IN	NS	ns4.fastlydns.net.
debian.map.fastlydns.net.	30	IN	AAAA	2a04:4e42:62::644
fastlydns.net.	86400	IN	NS	ns1.fastlydns.net.
fastlydns.net.	86400	IN	NS	ns2.fastlydns.net.
fastlydns.net.	86400	IN	NS	ns3.fastlydns.net.
fastlydns.net.	86400	IN	NS	ns4.fastlydns.net.

Can we find out what this is, and how we can get it, too?

mweinelt avatar Aug 18 '21 17:08 mweinelt

I'm not sure if that's possible. debian.map.fastlydns.net. looks like something custom they got from Fastly.

https://support.fastly.com/hc/en-us/articles/360035069912-IPv6-support doesn't mention fastlydns.

zimbatm avatar Aug 30 '21 20:08 zimbatm

I agree that it's weird that ns1.fastly.net doesn't reply AAAA. Luckily, most of the time I would expect an intermediate DNS to reply to the query but still.

zimbatm avatar Aug 30 '21 20:08 zimbatm

The problem is that ns1.fastly.net is not reachable via IPv6, not that it does not reply with a AAAA record (which it does for me).

❯ echo ns{1,2,3,4}.fastly.net | xargs -n 1 host -t AAAA
ns1.fastly.net has no AAAA record
ns2.fastly.net has no AAAA record
ns3.fastly.net has no AAAA record
ns4.fastly.net has no AAAA record

mweinelt avatar Aug 30 '21 20:08 mweinelt

I don't know... so poke their support? https://support.fastly.com

It might work even without any customer account. Any better ideas? EDIT: I did look into their docs further and found nothing.

vcunat avatar Aug 31 '21 14:08 vcunat

Query sent.

vcunat avatar Sep 06 '21 09:09 vcunat

I'll need our account ID, apparently.

We may be able to squeeze you into our IPv6 authoritative DNS delivery beta program, If you're happy to do so. You will need to agree to our Terms of Service conditions which should be with you soon.

Can you confirm your account ID please.

EDIT: I hope "beta" doesn't mean anything risky really.

EDIT2: we're following up the support thread now.

vcunat avatar Sep 07 '21 17:09 vcunat

Nothing risky is involved but we would like to make you aware of the fact that performance is not as tuned as for our IPv4 only DNS answers so you may see something there. You will also need to work with us to provide us with insight into any performance issues you may see. We will use that insight to help improve the performance. If you're are ok with this we are happy to include you.

Sounds OK to me, but I expect that also some else should ACK it before proceeding.

I don't expect that speed of DNS itself could be as significant for us in this case, as there are few names and will be mostly used in large batches (amortization through caching).

vcunat avatar Sep 09 '21 09:09 vcunat

Hmm, their "beta" wording isn't as encouraging as I hoped, e.g.

Fastly strongly advises against using production traffic for Beta products due to their dynamic nature.

vcunat avatar Sep 09 '21 15:09 vcunat

Yeah, let's wait.

zimbatm avatar Sep 09 '21 16:09 zimbatm

Happy 1 year anniversary of this issue. Just contacted Fastly support about this to see what they say.

Update: they said I'd hear back tomorrow.

grahamc avatar Oct 02 '22 20:10 grahamc

IPv6 has been enabled on all our distributions. However, it involves a configuration change in our DNS. I'm confirming with Fastly that we should in fact replace the CNAMEs with A's and AAAA's on our end.

grahamc avatar Oct 03 '22 17:10 grahamc

are there any news on this topic?

Kabbone avatar Dec 05 '22 19:12 Kabbone

IPv6 has been enabled on all our distributions. However, it involves a configuration change in our DNS. I'm confirming with Fastly that we should in fact replace the CNAMEs with A's and AAAA's on our end.

To me it looks like they are returning different A/AAAA records depending where you resolve the domain from. So I don't this is a good idea.

Mic92 avatar Aug 18 '24 05:08 Mic92