New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns-rfc2136: doesn't support IPv6 DNS servers #7295
Comments
Thank you for investigating and reporting this issue! At first glance I suspect this is an issue in the But also, it looks like google is your DNS provider -- does the |
Google is not my DNS provider. I just used I could just as well have used I did this because this issue might require me to make changes to my own DNS infrastructure (e.g., adding IPv4 |
If there is a hardcoded IPv6 address in the .ini file it does seem to work. If there is any wrong address [ valid syntax, non-existent server, server not running dns ] i only observe hanging, for both ipv4 & ipv6 trying to send the update for the _acme-challenge. Maybe a query for SOA to get the correct name of the master server is needed. [ if anyone actualy does that one correctly ]. And then query this master server for the SOA record again to verify its reachability? |
The DNSPython function https://dnspython.readthedocs.io/en/latest/query.html#dns.query.tcp Currently, the Unfortunately, this is not documented explicitely in the certbot-dns-rfc2136 documentation 😞 It is only implicitely inferred from the single example credential file. Also, version 0.36.0 is quite a long time ago. With my currently installed certbot (1.11.0.dev0) I can't reproduce the behaviour reported here:
Which makes sense if it expects an address in stead of a hostname. So maybe this can be transformed into a feature request? Namely: "Add support for hostnames as DNS servers in the dns-rfc2136 credentials file in stead of only addresses." |
The issue is slightly more complicated though. One doesn't need to translate "just" a A/AAAA lookup. It needs to find the DNS master server for a domain. This requires the SOA record to have a valid hostname (=master DNS server) as the first parameter. certbot-dns-rfc2136 still works unchanged up to 1.14.0 Problem with a lot of certbot dns modules is most are not maitained in distributions, you need to do this yourself... alas. |
I don't agree with this one: the certbot-dns-rfc2136 credential documentation clearly states "Target DNS server" as explanation for the Now, if you'd like the certbot-dns-rfc2136 plugin to automatically infer the main DNS server from the SOA records instead of entering a server to connect to manually in the credential file, then I suggest you open a brand new feature request in a separate issue. |
My operating system is (include version):
Ubuntu Bionic.
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
Tried first the packages bundled with Ubuntu (using
apt-get install certbot
). Afterwards, I triedcertbot-auto
(to confirm that this bug is still present in the latest upstream release).I ran this command and it produced this output:
Certbot's behavior differed from what I expected because:
ipv6.google.com
does exist in DNS with anIN AAAA
record:If I change the DNS server to one that has both IPv4
IN A
and IPv6IN AAAA
records in DNS, I do not get this error:Obviously it still doesn't work since I'm using totally bogus settings, but the key point is that the «Name or service not known» error is now gone. Using
tcpdump
, I can also confirm thatcertbot
is now actually attempting to communicate with the DNS server supplied:Note how it is using IPv4 for this query, even though
www.google.com
has both IPv4 and IPv6 addresses (and so has the hostcertbot
is running on). This violates RFC 6724, which states that IPv6 should be attempted before IPv4, if available.Here is a Certbot log showing the issue (if available):
letsencrypt.log
The text was updated successfully, but these errors were encountered: