Bug 2103903

Summary: Build Authselect with '--with-mdns4' and '--with-mdns6' for IPv6 only network
Product: [Fedora] Fedora Reporter: David Timber <dxdt>
Component: nss-mdnsAssignee: Adam Goode <adam>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: adam, jhrozek, mzeuom, pbrezina, pemensik, tdawson
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Timber 2022-07-05 08:43:55 UTC 
Description of problem:

/etc/nsswitch.conf contains following line:

```
hosts: ... mdns4_minimal ...
```

limiting GLibc to using A queries only. Applications linking GLibc as their CRT are not able to query any .local records on the network is IPv6 only or the hosts with IPv6 addresses only. 

The nsswitch.conf that comes with Fedora 36 only enables 'mdns4_minimal'. Using 'mdns_minimal' instead solves this issue. The config can be built by passing both '--with-mdns4' and '--with-mdns6' to the configure script.

See following code for detail:

https://github.com/authselect/authselect/blob/9af5f24db0ad50349fe823c8fe5ab83445251491/profiles/sssd/nsswitch.conf


Version-Release number of selected component (if applicable):

- authselect-libs-1.4.0-1.fc36
- avahi-0.8-15.fc36
Comment 1 Pavel Březina 2022-07-08 11:29:23 UTC 
Moving to nss-mdns.

As you already said, authselect support with-mdns4 and with-mdns6 which enables required modules. If both option are provided then mdns_minimal is used. However, this is automatically configured from nss_mdns as %postin scriptlet when the package is installed so if you want to change the default, it needs to be changed there. (Authselect default is without mdns support as the module does not have to be always installed).
Comment 2 Petr Menšík 2023-04-14 11:36:00 UTC 
The problem with this is indeed in nss-mdns. I have filled upstream issue [1] for it. If both queries to IPv4 and IPv6 should be enabled, it takes quite long when the requested name does not respond. Or it does respond on only one of families. Which I believe is still common.

I think we should enable mdns_minimal instead, but first we should fix nss-mdns to send just single search to avahi-daemon. And avahi-daemon should be able to do search in parallel way and without significant timeout if only one address family is supported by the host. Unfortunately no such functionality is offered by avahi package at the moment.

Resetting to rawhide, because the problem is still present on latest Fedora.

[1] https://github.com/lathiat/nss-mdns/issues/83
Comment 3 Petr Menšík 2023-04-14 11:39:35 UTC 
Alternatives could be at least per-connection configuration done in Network Manager. But that again needs feature not offered yet by avahi-daemon. It has no reconfiguration of interfaces used via DBus, so cannot be changed per-connection.