Package: pdns-server Version: 4.0.3-1+deb9u2 Severity: normal Dear Maintainer,
pdns-server in Stretch fails to answer TCP queries made by clients via backend recursors reached over IPv6. I discovered this setting up cloudflared, using it as the recursor, but have also replicated on a clean install with Google and Cloudflare's public DNS servers. NB: test addresses used below: CF DNS: 1.1.1.1 (ipv4), 2606:4700:4700::1111 (ipv6) Google DNS: 8.8.8.8 (ipv4), 2001:4860:4860::8888 (ipv6) Up to date just-installed Stretch x64 server: root@pdnsbugtest:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.6 (stretch) Release: 9.6 Codename: stretch root@pdnsbugtest:~# uname -a Linux pdnsbugtest 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux root@pdnsbugtest:~# apt update && apt full-upgrade Hit:1 http://security.debian.org/debian-security stretch/updates InRelease Ign:2 http://ftp.uk.debian.org/debian stretch InRelease Hit:3 http://ftp.uk.debian.org/debian stretch-updates InRelease Hit:4 http://ftp.uk.debian.org/debian stretch Release Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Only packages installed on top of base (base Debian server with openssh-server): vim, open-vm-tools, dnsutils, pdns-server root@pdnsbugtest:~# pdns_server --version Dec 13 23:48:43 PowerDNS Authoritative Server 4.0.3 (C) 2001-2016 PowerDNS.COM BV Dec 13 23:48:43 Using 64-bits mode. Built using gcc 6.3.0 20170516. Dec 13 23:48:43 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Dec 13 23:48:43 Features: botan1.10 openssl lua Dec 13 23:48:43 Built-in modules: Dec 13 23:48:43 Configured with: " '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' '--with-dynmodules=bind ldap pipe gmysql godbc gpgsql gsqlite3 geoip lua mydns remote random opendbx tinydns' '--with-modules=' '--with-pgsql-includes=/usr/include/postgresql' '--enable-botan1.10' '--enable-tools' '--without-protobuf' '--enable-unit-tests' '--enable-reproducible' '--enable-systemd' '--with-systemd=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/pdns-cB0QhU/pdns-4.0.3=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/pdns-cB0QhU/pdns-4.0.3=. -fstack-protector-strong -Wformat -Werror=format-security -DPACKAGEVERSION='\''"4.0.3-1+deb9u2.Debian"'\'''" Standard pdns.conf, plus 2 config variables to enable recursion ('recursor', 'allow-recursion'): root@pdnsbugtest:~# grep -v "^$\|^#" /etc/powerdns/pdns.conf allow-recursion=0.0.0.0/0,::/0 include-dir=/etc/powerdns/pdns.d launch= recursor=1.1.1.1 security-poll-suffix= setgid=pdns setuid=pdns Now, we can test. First, direct to CF and then via pdns, with and without TCP, over ipv4: root@pdnsbugtest:~# grep recursor= /etc/powerdns/pdns.conf; dig +short +notcp google.com @1.1.1.1; dig +short +tcp google.com @1.1.1.1; dig +short +notcp google.com @127.0.0.1; dig +short +tcp google.com @127.0.0.1 recursor=1.1.1.1 216.58.206.142 216.58.206.142 216.58.206.142 216.58.206.142 Now the same, but with Google: root@pdnsbugtest:~# grep recursor= /etc/powerdns/pdns.conf; dig +short +notcp google.com @8.8.8.8; dig +short +tcp google.com @8.8.8.8; dig +short +notcp google.com @127.0.0.1; dig +short +tcp google.com @127.0.0.1 recursor=8.8.8.8 216.58.206.110 216.58.206.110 216.58.206.110 216.58.204.78 All good. Now let's try with CF's ipv6 server as the recursor: [root@pdnsbugtest:~# grep recursor= /etc/powerdns/pdns.conf; dig +short +notcp google.com @2606:4700:4700::1111; dig +short +tcp google.com @2606:4700:4700::1111; dig +short +notcp google.com @127.0.0.1; dig +short +tcp google.com @127.0.0.1 recursor=2606:4700:4700::1111 216.58.206.110 216.58.206.110 216.58.206.110 ;; communications error to 127.0.0.1#53: end of file Uh-oh. What about Google? [root@pdnsbugtest:~# grep recursor= /etc/powerdns/pdns.conf; dig +short +notcp google.com @2001:4860:4860::8888; dig +short +tcp google.com @2001:4860:4860::8888; dig +short +notcp google.com @127.0.0.1; dig +short +tcp google.com @127.0.0.1 recursor=2001:4860:4860::8888 216.58.212.110 216.58.212.110 216.58.212.110 ;; communications error to 127.0.0.1#53: end of file Hmm, and what about ipv6 at the front-end? root@pdnsbugtest:~# grep recursor= /etc/powerdns/pdns.conf; dig +short +notcp google.com @::1; dig +short +tcp google.com @::1 recursor=2001:4860:4860::8888 216.58.212.110 ;; communications error to ::1#53: end of file Looks like it's specifically ipv6 at the backend, in combination with TCP at the front-end that is broken. A full dig output is no more revealing: root@pdnsbugtest:~# dig +tcp google.com @::1 ;; communications error to ::1#53: end of file Let me know if you need more info or can't reproduce, I'm happy to assist. Kind regards, Nick -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages pdns-server depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libboost-program-options1.62.0 1.62.0+dfsg-4 ii libbotan-1.10-1 1.10.16-1 ii libc6 2.24-11+deb9u3 ii libgcc1 1:6.3.0-18+deb9u1 ii liblua5.3-0 5.3.3-1 ii libsqlite3-0 3.16.2-5+deb9u1 ii libssl1.1 1.1.0j-1~deb9u1 ii libstdc++6 6.3.0-18+deb9u1 ii libsystemd0 232-25+deb9u6 Versions of packages pdns-server recommends: ii pdns-backend-bind 4.0.3-1+deb9u2 Versions of packages pdns-server suggests: ii pdns-backend-bind [pdns-backend] 4.0.3-1+deb9u2 -- Configuration Files: /etc/powerdns/pdns.conf [Errno 13] Permission denied: '/etc/powerdns/pdns.conf' -- no debconf information
