Kresd: Problem resolving ppl.cz - timeout (kresd uses non-working IPv6)

peci1 · November 3, 2024, 6:55pm

Hi, I have a DNS resolution problem when kresd is set to not forward.

My ISP doesn’t provide IPv6, so I don’t have any default IPv6 route on Omnia.

Nevertheless, when resolving ppl.cz, kresd seems to choose an IPv6 upstream DNS server to ask, and that of course fails. I’m not really sure why that happens.

The debug log is like:

Nov  3 18:39:03 turris kresd[9765]: [plan  ][00000.00] plan 'ppl.cz.' type 'A' uid [22507.00]
Nov  3 18:39:03 turris kresd[9765]: [iterat][22507.00]   'ppl.cz.' type 'A' new uid was assigned .01, parent uid .00
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.01]   => no NSEC* cached for zone: ppl.cz.
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.01]   => skipping zone: ppl.cz., NSEC, hash 0;new TTL -123456789, ret -2
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.01]   => skipping zone: ppl.cz., NSEC, hash 0;new TTL -123456789, ret -2
Nov  3 18:39:03 turris kresd[9765]: [zoncut][22507.01]   found cut: ppl.cz. (rank 002 return codes: DS 0, DNSKEY -2)
Nov  3 18:39:03 turris kresd[9765]: [plan  ][22507.01]   plan 'ppl.cz.' type 'DNSKEY' uid [22507.02]
Nov  3 18:39:03 turris kresd[9765]: [iterat][22507.02]     'ppl.cz.' type 'DNSKEY' new uid was assigned .03, parent uid .01
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.03]     => no NSEC* cached for zone: ppl.cz.
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.03]     => skipping zone: ppl.cz., NSEC, hash 0;new TTL -123456789, ret -2
Nov  3 18:39:03 turris kresd[9765]: [cache ][22507.03]     => skipping zone: ppl.cz., NSEC, hash 0;new TTL -123456789, ret -2
Nov  3 18:39:03 turris kresd[9765]: [select][22507.03]     => id: '57656' choosing from addresses: 6 v4 + 5 v6; names to resolve: 0 v4 + 1 v6; force_resolve: 0; NO6: IPv6 is OK
Nov  3 18:39:03 turris kresd[9765]: [select][22507.03]     => id: '57656' choosing: 'ns4.dhl.com.'@'2a05:4a40:fff3:410a::1#00053' with timeout 400 ms zone cut: 'ppl.cz.'
Nov  3 18:39:03 turris kresd[9765]: [resolv][22507.03]     => id: '57656' querying: 'ns4.dhl.com.'@'2a05:4a40:fff3:410a::1#00053' zone cut: 'ppl.cz.' qname: 'ppl.cz.' qtype: 'DNSKEY' proto: 'udp'
Nov  3 18:39:03 turris kresd[9765]: [select][22507.03]     NO6: timed out, appended, timeouts 2/6
Nov  3 18:39:03 turris kresd[9765]: [select][22507.03]     => id: '57656' noting selection error: 'ns4.dhl.com.'@'2a05:4a40:fff3:410a::1#00053' zone cut: 'ppl.cz.' error: 1 QUERY_TIMEOUT
Nov  3 18:39:03 turris kresd[9765]: [iterat][22507.03]     'ppl.cz.' type 'DNSKEY' new uid was assigned .04, parent uid .01
Nov  3 18:39:03 turris kresd[9765]: [select][22507.04]     => id: '14243' choosing from addresses: 6 v4 + 5 v6; names to resolve: 0 v4 + 1 v6; force_resolve: 0; NO6: IPv6 is OK
Nov  3 18:39:03 turris kresd[9765]: [select][22507.04]     => id: '14243' choosing: 'ns6.dhl.com.'@'2403:c580:fff3:410a::1#00053' with timeout 800 ms zone cut: 'ppl.cz.'
Nov  3 18:39:03 turris kresd[9765]: [resolv][22507.04]     => id: '14243' querying: 'ns6.dhl.com.'@'2403:c580:fff3:410a::1#00053' zone cut: 'ppl.cz.' qname: 'ppl.cz.' qtype: 'DNSKEY' proto: 'udp'
Nov  3 18:39:04 turris kresd[9765]: [select][22507.04]     NO6: timed out, appended, timeouts 3/6
Nov  3 18:39:04 turris kresd[9765]: [select][22507.04]     => id: '14243' noting selection error: 'ns6.dhl.com.'@'2403:c580:fff3:410a::1#00053' zone cut: 'ppl.cz.' error: 1 QUERY_TIMEOUT
Nov  3 18:39:04 turris kresd[9765]: [iterat][22507.04]     'ppl.cz.' type 'DNSKEY' new uid was assigned .05, parent uid .01
Nov  3 18:39:04 turris kresd[9765]: [select][22507.05]     => id: '20995' choosing from addresses: 6 v4 + 5 v6; names to resolve: 0 v4 + 1 v6; force_resolve: 0; NO6: IPv6 is OK
Nov  3 18:39:04 turris kresd[9765]: [select][22507.05]     => id: '20995' choosing: 'ns2.dhl.com.'@'2620:1d6:fff3:410a::1#00053' with timeout 1600 ms zone cut: 'ppl.cz.'
Nov  3 18:39:04 turris kresd[9765]: [resolv][22507.05]     => id: '20995' querying: 'ns2.dhl.com.'@'2620:1d6:fff3:410a::1#00053' zone cut: 'ppl.cz.' qname: 'ppl.cz.' qtype: 'DNSKEY' proto: 'udp'
Nov  3 18:39:06 turris kresd[9765]: [select][22507.05]     NO6: timed out, appended, timeouts 4/6
Nov  3 18:39:06 turris kresd[9765]: [select][22507.05]     => id: '20995' noting selection error: 'ns2.dhl.com.'@'2620:1d6:fff3:410a::1#00053' zone cut: 'ppl.cz.' error: 1 QUERY_TIMEOUT
Nov  3 18:39:06 turris kresd[9765]: [iterat][22507.05]     'ppl.cz.' type 'DNSKEY' new uid was assigned .06, parent uid .01
Nov  3 18:39:06 turris kresd[9765]: [select][22507.06]     => id: '49524' choosing from addresses: 6 v4 + 5 v6; names to resolve: 0 v4 + 1 v6; force_resolve: 0; NO6: IPv6 is OK
Nov  3 18:39:06 turris kresd[9765]: [select][22507.06]     => id: '49524' choosing: 'ns2b.dhl.com.'@'2620:1d6:fffd:410a::1#00053' with timeout 3200 ms zone cut: 'ppl.cz.'
Nov  3 18:39:06 turris kresd[9765]: [resolv][22507.06]     => id: '49524' querying: 'ns2b.dhl.com.'@'2620:1d6:fffd:410a::1#00053' zone cut: 'ppl.cz.' qname: 'ppl.cz.' qtype: 'DNSKEY' proto: 'tcp'
Nov  3 18:39:06 turris kresd[9765]: [worker][22507.06]     => connecting to: '2620:1d6:fffd:410a::1#00053'
Nov  3 18:39:06 turris kresd[9765]: [select][22507.06]     NO6: timed out, appended, timeouts 5/6
Nov  3 18:39:06 turris kresd[9765]: [select][22507.06]     => id: '49524' noting selection error: 'ns2b.dhl.com.'@'2620:1d6:fffd:410a::1#00053' zone cut: 'ppl.cz.' error: 3 TCP_CONNECT_FAILED
Nov  3 18:39:06 turris kresd[9765]: [iterat][22507.06]     'ppl.cz.' type 'DNSKEY' new uid was assigned .07, parent uid .01
Nov  3 18:39:06 turris kresd[9765]: [select][22507.07]     => id: '29611' choosing from addresses: 6 v4 + 5 v6; names to resolve: 0 v4 + 1 v6; force_resolve: 0; NO6: IPv6 is OK
Nov  3 18:39:06 turris kresd[9765]: [select][22507.07]     => id: '29611' choosing: 'ns4b.dhl.com.'@'2a05:4a40:fffd:410a::1#00053' with timeout 6400 ms zone cut: 'ppl.cz.'
Nov  3 18:39:06 turris kresd[9765]: [resolv][22507.07]     => id: '29611' querying: 'ns4b.dhl.com.'@'2a05:4a40:fffd:410a::1#00053' zone cut: 'ppl.cz.' qname: 'ppl.cz.' qtype: 'DNSKEY' proto: 'udp'

I see there is NO6: IPv6 is OK. That looks suspicious. IPv6 is really not OK with my ISP.

Do you have any hints on how to configure kresd to ignore IPv6 at all?

Setting net.ipv6 = false in /etc/kresd/custom.conf and restarting the resolver doesn’t change this behavior.

vcunat · November 4, 2024, 5:18pm

After this reaches 6/6 (6 different subnets), sending via IPv6 will get disabled by default.

vcunat · November 4, 2024, 5:19pm

It should really. Not sure what’s wrong there.

peci1 · November 4, 2024, 7:04pm

It doesn’t fall back to ipv4 for me. I can try resolving the domain many times and it never succeeds. I’m running TOS 7.1.0 with kresd6 package list.

vcunat · November 4, 2024, 7:08pm

6 different subnets. But normally just the priming of root servers will reach 5 or 6 IIRC, as there are at least 13*2 records to resolve.

vcunat · November 4, 2024, 7:11pm

I.e. one site is not enough. That’s intentional. One site’s IPv6 getting broken must not cause avoidance of IPv6.

Latency for locally non-routable UDP packets… is on TODO list, but I think sometimes the route dies a little further, so I wanted a generally working mechanism.

peci1 · November 4, 2024, 7:22pm

Hmm, so if I find 6 different non-working sites, it should start resolving them?

Question is, if there’s no IPv6 default route, why should kresd even bother trying it?

vcunat · November 4, 2024, 8:26pm

If you know that there’s none (or reForis knows that it’s configured so), there’s the net.ipv6 = false that is meant to avoid any attempts. I suppose I’ll have to try reproducing your claim of that not working.

peci1 · November 4, 2024, 8:38pm

Ok. My testing procedure:

(turris) Change /etc/kresd/custom.conf
(turris) rm -rf /tmp/kresd
(turris) /etc/init.d/resolver restart
(pc) dig ppl.cz

Is there something I’m missing?

vcunat · November 4, 2024, 9:08pm

Seems OK at a glance. It might be worth doing ssh router -- socat - /tmp/kresd/control/\* and check net.ipv6 in that read-execute-print loop.

peci1 · November 4, 2024, 10:23pm

Hmm, no joy:

$ ssh root@192.168.18.1 -- socat - /tmp/kresd/control/\*
> net.ipv6
false
> ^C
$ dig ppl.cz
;; communications error to 192.168.18.1#53: timed out