View Issue Details

IDProjectCategoryView StatusLast Update
0003136Rocky-Linux-9Generalpublic2023-05-16 15:23
ReporterGraham Leggett Assigned ToNeil Hanlon  
Status acknowledgedResolutionopen 
OSRockyOS Version9.1 
Summary0003136: IPv6 unreliable - Failed to download metadata for repo 'baseos'
DescriptionIPv6 sometimes works, sometimes does not.

From time to time on an IPv6 only host, dnf fails as follows:

Rocky Linux 9 - BaseOS 0.0 B/s | 0 B 00:40
Errors during downloading metadata for repository 'baseos':
  - Curl error (6): Couldn't resolve host name for [Could not resolve host:]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for [Could not resolve host:]
Steps To ReproduceRun "dnf update" on an IPv6 only host.
TagsNo tags attached.


Graham Leggett

Graham Leggett

2023-05-03 10:09

reporter   ~0003169

Looks like the failure is limited to when the unbound resolver is locally installed and used.
Neil Hanlon

Neil Hanlon

2023-05-03 12:37

administrator   ~0003170

We've had some intermittent reports of this but have not been able to nail down a root cause.

How is your IPv6 traffic handled? Is it a direct allocation, or via a 646 tunnel broker like

Do you have any firewall rules on your network that would be preventing ICMP6 and/or PMTU traffic from flowing?
Graham Leggett

Graham Leggett

2023-05-03 13:32

reporter   ~0003171

It's an IPv6 only host in a datacentre (specifically Hetzner in DE).

IPv6 works if the DNS points at a Mikrotik router. As soon as DNS is changed to point at a locally installed copy of the unbound nameserver, we fail.

Looking at it seems fastly fails DNSSEC checks. I wonder if resolvers are interpreting this as "DNS name not configured securely, pretend it does not exist".
Neil Hanlon

Neil Hanlon

2023-05-03 14:03

administrator   ~0003172

Thanks for the info, that's helpful.

Let me reach out to Fastly and see if they have some thoughts here. DNSSEC is an ongoing project for us as an infrastructure team, too, but I'm not able to give an ETA at this time.
Graham Leggett

Graham Leggett

2023-05-03 14:50

reporter   ~0003173

In theory DNSSEC missing isn't an error, but if DNSSEC is misconfigured then resolution attempts will throw an error.

Very odd that a CDN doesn't do DNSSEC.
Zulu Echo

Zulu Echo

2023-05-16 15:23

reporter   ~0003334

We have also been working on an ipv6 only network and had this problem on all of our rockylinux installations. We were running Nat64 with ipv6 on the inside and only ipv4 on the external network connection.

By simply using the "-6" parameter with dnf, we succesfully updated without any further issues.
I.E. "dnf -6 update"

Hope this helps someone.

Issue History

Date Modified Username Field Change
2023-05-02 21:15 Graham Leggett New Issue
2023-05-03 10:09 Graham Leggett Note Added: 0003169
2023-05-03 12:37 Neil Hanlon Assigned To => Neil Hanlon
2023-05-03 12:37 Neil Hanlon Status new => acknowledged
2023-05-03 12:37 Neil Hanlon Note Added: 0003170
2023-05-03 13:32 Graham Leggett Note Added: 0003171
2023-05-03 14:03 Neil Hanlon Note Added: 0003172
2023-05-03 14:50 Graham Leggett Note Added: 0003173
2023-05-16 15:23 Zulu Echo Note Added: 0003334