758317 – The fedora website is not accessible from ipv6-only machine

Bug 758317 - The fedora website is not accessible from ipv6-only machine

Summary: The fedora website is not accessible from ipv6-only machine

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora Documentation
Classification:	Fedora
Component:	fedora-websites
Sub Component:
Version:	devel
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Websites Team
QA Contact:	Karsten Wade
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-29 16:49 UTC by Tomas Kouba
Modified:	2013-03-11 15:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-11 15:28:18 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tomas Kouba 2011-11-29 16:49:51 UTC

Description of problem:

I cannot download epel mirror list and it seems to be a DNS problem that also causes the main fedora project web inaccessible from ipv6-only machine.

Version-Release number of selected component (if applicable):

DiG 9.7.3-P3-RedHat-9.7.3-2.el6_1.P3.3
bind-9.7.3-2.el6_1.P3.3.x86_64

How reproducible:

dig +trace www.fedoraproject.org

Steps to Reproduce:
1.
  
Actual results:

# dig +trace www.fedoraproject.org

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-2.el6_1.P3.3 <<>> +trace www.fedoraproject.org
;; global options: +cmd
.                       507322  IN      NS      k.root-servers.net.
.                       507322  IN      NS      f.root-servers.net.
.                       507322  IN      NS      e.root-servers.net.
.                       507322  IN      NS      a.root-servers.net.
.                       507322  IN      NS      l.root-servers.net.
.                       507322  IN      NS      d.root-servers.net.
.                       507322  IN      NS      c.root-servers.net.
.                       507322  IN      NS      m.root-servers.net.
.                       507322  IN      NS      h.root-servers.net.
.                       507322  IN      NS      j.root-servers.net.
.                       507322  IN      NS      g.root-servers.net.
.                       507322  IN      NS      b.root-servers.net.
.                       507322  IN      NS      i.root-servers.net.
;; Received 284 bytes from ::1#53(::1) in 0 ms

org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
;; Received 444 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 116 ms

fedoraproject.org.      86400   IN      NS      ns04.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns01.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns05.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns02.fedoraproject.org.
;; Received 179 bytes from 2001:500:b::1#53(c0.org.afilias-nst.info) in 17 ms

;; connection timed out; no servers could be reached


Expected results:

www.fedoraproject.org resolved just like on a host with both 4/6 protocols:

$ dig +trace www.fedoraproject.org

; <<>> DiG 9.7.3 <<>> +trace www.fedoraproject.org
;; global options: +cmd
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
;; Received 404 bytes from 147.231.25.14#53(147.231.25.14) in 0 ms

org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
;; Received 444 bytes from 2001:500:1::803f:235#53(H.ROOT-SERVERS.NET) in 107 ms

fedoraproject.org.      86400   IN      NS      ns01.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns02.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns04.fedoraproject.org.
fedoraproject.org.      86400   IN      NS      ns05.fedoraproject.org.
;; Received 179 bytes from 2001:500:e::1#53(a0.org.afilias-nst.info) in 106 ms

www.fedoraproject.org.  3600    IN      CNAME   wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 60  IN      A       209.132.181.16
wildcard.fedoraproject.org. 60  IN      A       213.175.193.206
wildcard.fedoraproject.org. 60  IN      A       66.35.62.166
wildcard.fedoraproject.org. 60  IN      A       85.236.55.6
wildcard.fedoraproject.org. 60  IN      A       140.211.169.197
wildcard.fedoraproject.org. 60  IN      A       152.19.134.146
;; Received 158 bytes from 2610:28:3090:3001:dead:beef:cafe:fed5#53(ns02.fedoraproject.org) in 123 ms


Additional info:

Comment 1 Kevin Fenzi 2011-11-29 17:02:35 UTC

All our nameservers are not ipv6 capable. 

If you directly use ns02.fedoraproject.org does it work?

also, not sure this is the correct place for this report. Perhaps close this and file a ticket at the fedora infrastructure trac?

https://fedorahosted.org/fedora-infrastructure/newtplticket

Comment 2 Matt Domsch 2011-11-30 04:35:18 UTC

Tomas, 

$ dig +trace www.fedoraproject.org

will default to looking up only an A record.  (See 'man dig' for the example showing the default.  You need to force it to look up the AAAA record, which works fine.


$ dig +trace www.fedoraproject.org AAAA

; <<>> DiG 9.8.1-P1-RedHat-9.8.1-4.P1.fc16 <<>> +trace www.fedoraproject.org AAAA
;; global options: +cmd
.			53176	IN	NS	a.root-servers.net.
.			53176	IN	NS	b.root-servers.net.
.			53176	IN	NS	c.root-servers.net.
.			53176	IN	NS	d.root-servers.net.
.			53176	IN	NS	e.root-servers.net.
.			53176	IN	NS	f.root-servers.net.
.			53176	IN	NS	g.root-servers.net.
.			53176	IN	NS	h.root-servers.net.
.			53176	IN	NS	i.root-servers.net.
.			53176	IN	NS	j.root-servers.net.
.			53176	IN	NS	k.root-servers.net.
.			53176	IN	NS	l.root-servers.net.
.			53176	IN	NS	m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 480 ms

org.			172800	IN	NS	a2.org.afilias-nst.info.
org.			172800	IN	NS	a0.org.afilias-nst.info.
org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	b2.org.afilias-nst.org.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	c0.org.afilias-nst.info.
;; Received 441 bytes from 202.12.27.33#53(202.12.27.33) in 383 ms

fedoraproject.org.	86400	IN	NS	ns01.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns02.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns04.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns05.fedoraproject.org.
;; Received 196 bytes from 2001:500:f::1#53(2001:500:f::1) in 363 ms

www.fedoraproject.org.	3600	IN	CNAME	wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 60	IN	AAAA	2610:28:3090:3001:dead:beef:cafe:fed4
;; Received 90 bytes from 209.132.181.17#53(209.132.181.17) in 54 ms
oject.org


Or you can keep it all on IPv6 if you are IPv6-only. Here I'm using the sixxs.net recursive resolver over IPv6.  (the dig -6 option fails because the .root-servers.net servers don't have IPv6 addresses themselves).

$ dig +trace @nscache.us.sixxs.net www.fedoraproject.org AAAA 

; <<>> DiG 9.8.1-P1-RedHat-9.8.1-4.P1.fc16 <<>> +trace @nscache.us.sixxs.net www.fedoraproject.org AAAA
; (2 servers found)
;; global options: +cmd
.			86170	IN	NS	i.root-servers.net.
.			86170	IN	NS	j.root-servers.net.
.			86170	IN	NS	a.root-servers.net.
.			86170	IN	NS	f.root-servers.net.
.			86170	IN	NS	g.root-servers.net.
.			86170	IN	NS	b.root-servers.net.
.			86170	IN	NS	e.root-servers.net.
.			86170	IN	NS	c.root-servers.net.
.			86170	IN	NS	d.root-servers.net.
.			86170	IN	NS	k.root-servers.net.
.			86170	IN	NS	h.root-servers.net.
.			86170	IN	NS	m.root-servers.net.
.			86170	IN	NS	l.root-servers.net.
;; Received 449 bytes from 2001:4de0:1000:a3::2#53(2001:4de0:1000:a3::2) in 540 ms

org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	c0.org.afilias-nst.info.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	b2.org.afilias-nst.org.
org.			172800	IN	NS	a0.org.afilias-nst.info.
org.			172800	IN	NS	a2.org.afilias-nst.info.
;; Received 441 bytes from 2001:503:c27::2:30#53(2001:503:c27::2:30) in 377 ms

fedoraproject.org.	86400	IN	NS	ns01.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns02.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns04.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns05.fedoraproject.org.
;; Received 179 bytes from 199.249.120.1#53(199.249.120.1) in 235 ms

www.fedoraproject.org.	3600	IN	CNAME	wildcard.fedoraproject.org.
wildcard.fedoraproject.org. 60	IN	AAAA	2610:28:3090:3001:dead:beef:cafe:fed4
;; Received 90 bytes from 85.236.55.10#53(85.236.55.10) in 147 ms


Therefore I'm closing this as not a bug, it all appears to be working as intended.

Thanks,
Matt

Comment 3 Tomas Kouba 2011-11-30 11:39:29 UTC

I think the problem is that there are no AAAA GLUE records for nsXX.fedoraproject.org in parent DNS. So my ipv6-only machine does not know
how to reach nsXX.fedoraproject.org when resolving www.fedoraproject.org

 dig @c0.org.afilias-nst.org fedoraproject.org

; <<>> DiG 9.7.3 <<>> @c0.org.afilias-nst.org fedoraproject.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3378
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fedoraproject.org.		IN	A

;; AUTHORITY SECTION:
fedoraproject.org.	86400	IN	NS	ns04.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns05.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns01.fedoraproject.org.
fedoraproject.org.	86400	IN	NS	ns02.fedoraproject.org.

;; ADDITIONAL SECTION:
ns01.fedoraproject.org.	86400	IN	A	64.34.184.179
ns02.fedoraproject.org.	86400	IN	A	152.19.134.139
ns04.fedoraproject.org.	86400	IN	A	209.132.181.17
ns05.fedoraproject.org.	86400	IN	A	85.236.55.10

;; Query time: 22 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Wed Nov 30 12:29:45 2011
;; MSG SIZE  rcvd: 175

Comment 4 Matt Domsch 2011-11-30 16:34:52 UTC

interesting.  We did have glue records at one point.  You're right it appears to not be there now for ns02 AAAA. :-(

Comment 5 Nick Bebout 2013-03-11 15:28:18 UTC

This has been fixed.

Note You need to log in before you can comment on or make changes to this bug.