dnsproc.c only returns a single address even if the code pretends to
support multiple addresses. This leads to weird behavior in edge cases,
as experienced by a user on IRC.
Take a machine with both IPv4 and IPv6 addresses configured, but no
IPv4 default route (on purpose). Since there is at least one IPv4
address different from 127.0.0.1, AI_ADDRCONFIG doesn't filter out
A records. Let's encrypt ACME service is dual stacked but the first and
only address returned by dnsproc.c is always IPv4 with our "family inet
inet6". In this situation acme-client can't connect over IPv4 and errors
out even though there's a working IPv6 default route.
I don't know much about ACME and its requirements / good practices for
clients, but clearly acme-client doesn't behave like most of our
programs which try to connect to all available addresses. This break
statement has been there since import, but was it added on purpose?
Input welcome.
diff --git a/usr.sbin/acme-client/dnsproc.c b/usr.sbin/acme-client/dnsproc.c
index 664ef8d9b8b..c4c612e521a 100644
--- a/usr.sbin/acme-client/dnsproc.c
+++ b/usr.sbin/acme-client/dnsproc.c
@@ -102,7 +102,6 @@ host_dns(const char *s, struct addr *vec)
dodbg("%s: DNS: %s", s, vec[vecsz].ip);
vecsz++;
- break;
}
freeaddrinfo(res0);
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
