Supporting dual stack networking (prefer IPv6)

[thomasklinger1234]

Summary

As a developer, I want to configure dynamic VMOD to support dualstack when resolving backend endpoint IPs, so I can support dual stack architectures.

Is it possible to "prefer" IPv6 somehow before libvmod-dynamic considers returning IPv4 addresses when calling xdynamic.backend() without hacking around with operating system settings, /etc/gai.conf or network architecture.

I have looked into this VTC test but after some tests it seems that the acl will rule out IPv4 addresses completely from DNS resolution but I would like to support a softer fallback to ease migration and integration for our backend teams.

Background

Our network architecture mandates the usage of dual stack networking, i.e. support for both IPv4 and IPv6 addresses on the same DNS name (not record). Currently, the setup is HAProxy -> Varnish backend -> HAproxy backend -> resolve-prefer ipv6 -> origin, so a very standard Varnish architecture but we want to switch to using libvmod-dynamic instead.

For example, if I want to proxy example.com with Varnish and libvmod-dynamic, it resolves to the following IPs

$ dig +short A example.com
23.215.0.136
23.215.0.138
96.7.128.175
96.7.128.198
23.192.228.80
23.192.228.8

$ dig +short AAAA example.com
2600:1408:ec00:36::1736:7f24
2600:1408:ec00:36::1736:7f31
2600:1406:3a00:21::173e:2e65
2600:1406:3a00:21::173e:2e66
2600:1406:bc00:53::b81e:94c8
2600:1406:bc00:53::b81e:94ce

My use case involves the following scenario:

• If example.com supports IPv6 via AAAA record, those IPs should be preferred
• If example.com does not support IPv6, fallback to IPv4

This is similar to HAProxy's resolve-prefer option.

Environment

• Varnish with libvmod-dynamic from varnish:7.6.1 docker image
• HAProxy configured via sslon to onload TLS (otherwise we would simply use the HAProxy setting)