On 12 December 2021 21:19:21 CET, Jeremie Courreges-Anglas <j...@wxcvbn.org>
wrote:
>
>dnsproc.c only returns a single address even if the code pretends to
>support multiple addresses. This leads to weird behavior in edge cases,
>as experienced by a user on IRC.
>
>Take a machine with both IPv4 and IPv6 addresses configured, but no
>IPv4 default route (on purpose). Since there is at least one IPv4
>address different from 127.0.0.1, AI_ADDRCONFIG doesn't filter out
>A records. Let's encrypt ACME service is dual stacked but the first and
>only address returned by dnsproc.c is always IPv4 with our "family inet
>inet6". In this situation acme-client can't connect over IPv4 and errors
>out even though there's a working IPv6 default route.
>
Doctor, Doctor! When I do this, it hurts!
>I don't know much about ACME and its requirements / good practices for
I can't think of a reason to not try all address families.
>clients, but clearly acme-client doesn't behave like most of our
>programs which try to connect to all available addresses. This break
>statement has been there since import, but was it added on purpose?
>Input welcome.
>
>
I probably won't be able to look at this for a week. I am very surprised that
this is the correct fix though. I trust you checked that multiple IP addresses
can be passed between processes?
>diff --git a/usr.sbin/acme-client/dnsproc.c b/usr.sbin/acme-client/dnsproc.c
>index 664ef8d9b8b..c4c612e521a 100644
>--- a/usr.sbin/acme-client/dnsproc.c
>+++ b/usr.sbin/acme-client/dnsproc.c
>@@ -102,7 +102,6 @@ host_dns(const char *s, struct addr *vec)
>
> dodbg("%s: DNS: %s", s, vec[vecsz].ip);
> vecsz++;
>- break;
> }
>
> freeaddrinfo(res0);
>
>
--
Sent from a mobile device. Please excuse poor formatting.
