View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003136||Rocky-Linux-9||General||public||2023-05-02 21:15||2023-05-16 15:23|
|Reporter||Graham Leggett||Assigned To||Neil Hanlon|
|Summary||0003136: IPv6 unreliable - Failed to download metadata for repo 'baseos'|
|Description||IPv6 sometimes works, sometimes does not.|
From time to time on an IPv6 only host, dnf fails as follows:
Rocky Linux 9 - BaseOS 0.0 B/s | 0 B 00:40
Errors during downloading metadata for repository 'baseos':
- Curl error (6): Couldn't resolve host name for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [Could not resolve host: mirrors.rockylinux.org]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [Could not resolve host: mirrors.rockylinux.org]
|Steps To Reproduce||Run "dnf update" on an IPv6 only host.|
|Tags||No tags attached.|
|Looks like the failure is limited to when the unbound resolver is locally installed and used.|
We've had some intermittent reports of this but have not been able to nail down a root cause.
How is your IPv6 traffic handled? Is it a direct allocation, or via a 646 tunnel broker like HE.net?
Do you have any firewall rules on your network that would be preventing ICMP6 and/or PMTU traffic from flowing?
It's an IPv6 only host in a datacentre (specifically Hetzner in DE).
IPv6 works if the DNS points at a Mikrotik router. As soon as DNS is changed to point at a locally installed copy of the unbound nameserver, we fail.
Looking at https://dnssec-analyzer.verisignlabs.com/mirrors.rockylinux.org it seems fastly fails DNSSEC checks. I wonder if resolvers are interpreting this as "DNS name not configured securely, pretend it does not exist".
Thanks for the info, that's helpful.
Let me reach out to Fastly and see if they have some thoughts here. DNSSEC is an ongoing project for us as an infrastructure team, too, but I'm not able to give an ETA at this time.
In theory DNSSEC missing isn't an error, but if DNSSEC is misconfigured then resolution attempts will throw an error.
Very odd that a CDN doesn't do DNSSEC.
We have also been working on an ipv6 only network and had this problem on all of our rockylinux installations. We were running Nat64 with ipv6 on the inside and only ipv4 on the external network connection.
By simply using the "-6" parameter with dnf, we succesfully updated without any further issues.
I.E. "dnf -6 update"
Hope this helps someone.
|2023-05-02 21:15||Graham Leggett||New Issue|
|2023-05-03 10:09||Graham Leggett||Note Added: 0003169|
|2023-05-03 12:37||Neil Hanlon||Assigned To||=> Neil Hanlon|
|2023-05-03 12:37||Neil Hanlon||Status||new => acknowledged|
|2023-05-03 12:37||Neil Hanlon||Note Added: 0003170|
|2023-05-03 13:32||Graham Leggett||Note Added: 0003171|
|2023-05-03 14:03||Neil Hanlon||Note Added: 0003172|
|2023-05-03 14:50||Graham Leggett||Note Added: 0003173|
|2023-05-16 15:23||Zulu Echo||Note Added: 0003334|