Bug 502 - do-ip6: no does not disable ip6 queries.
do-ip6: no does not disable ip6 queries.
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
All All
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-24 16:08 CEST by Han Boetes
Modified: 2014-04-11 09:16 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Han Boetes 2013-06-24 16:08:58 CEST
After setting: do-ip6 to no and restarting unbound and doing a "dig -t AAAA google.com @localhost" to my dismay I found I still got ip6 replies.

~% host transip.eu
transip.eu has address 95.170.78.50
transip.eu has IPv6 address 2a01:7c8:2305::1337

As a matter of fact checking with lsof the "do-ip6" option disables or enables listening on ip6. It does not disable replying to queries.

So what I would expect that incase I set ip6-no -- which I would set if the network stack doesn't support or need it is to disable listening on ip6 _and_ refuse to do lookup of ipv6-addresses.

So I get this answer:

~% host transip.eu
transip.eu has address 95.170.78.50
Comment 1 Wouter Wijngaards 2013-06-24 16:44:35 CEST
Hi Han,

This is intentional.  It is possible (perhaps even common) for IPv6 capable hosts to query for the IPv6 addresses over IPv4 DNS.  Thus, disabling the ipv6 sockets on the DNS server should not impact the resolution of the AAAA resource records.  Denial of such resolution could even give security fails if DNSSEC is enabled.

I believe BIND may have some sort of option that disables AAAA lookups for people that query over IPv4.

Basically, the hosts should not query for IPv6 if they cannot use it (properly), hence the IPv6 service is fine.  If your hosts all do something awful (teredo?, 6to4?, tunneling is what I heard is the biggest issue (at the RIPE conference)) with ipv6 and you want to turn off ipv6, the host configuration gives you the best network configuration (well, in the end).

Again, unbound does not have these weird hacks to work around brokenness, but you could script them yourself with the python scripting if you really wanted to.

Or perhaps, your network is not broken, but you have been surprised by the documentation of do-ip6 (and that does sound a little too general)?

Best regards,
   Wouter
Comment 2 Pavel Šimerda (pavlix) 2014-03-19 11:23:20 CET
> I believe BIND may have some sort of option that disables AAAA lookups for
> people that query over IPv4.

While BIND has some features of that kind, they are not really usable.
Comment 3 Wouter Wijngaards 2014-04-11 09:16:43 CEST
Hi Han,

Added documentation to the man page to explain that AAAA lookups occur while do-ip6 is no.

Best regards, Wouter