Unbound IPv6 Disabled - Validation Failure

[tdashmike]

IPv6 is disabled on my router. Is there a way make these requests resolve without enabling IPv6?

19:19:36 unbound[3142:0] info: validation failure <wheels.home-assistant.io. AAAA IN>: no signatures from 172.64.32.124
19:11:17 unbound[3142:0] info: validation failure <checkonline.home-assistant.io. AAAA IN>: no signatures from 108.162.192.124
19:14:33 unbound[3142:0] error: SERVFAIL <updates.logitech.com. AAAA IN>: all servers for this domain failed, at zone updates.logitech.com. from 205.251.193.36 nodata answer
19:59:12 unbound[3142:0] info: validation failure <uptime.kuma.pet. AAAA IN>: no signatures from 173.245.59.106
20:19:54 unbound[3142:0] info: validation failure <time.cloudflare.com. AAAA IN>: no signatures from 162.159.4.8

 

[SomeWhereOverTheRainBow]

IPv6 is disabled on my router. Is there a way make these requests resolve without enabling IPv6?

19:19:36 unbound[3142:0] info: validation failure <wheels.home-assistant.io. AAAA IN>: no signatures from 172.64.32.124
19:11:17 unbound[3142:0] info: validation failure <checkonline.home-assistant.io. AAAA IN>: no signatures from 108.162.192.124
19:14:33 unbound[3142:0] error: SERVFAIL <updates.logitech.com. AAAA IN>: all servers for this domain failed, at zone updates.logitech.com. from 205.251.193.36 nodata answer
19:59:12 unbound[3142:0] info: validation failure <uptime.kuma.pet. AAAA IN>: no signatures from 173.245.59.106
20:19:54 unbound[3142:0] info: validation failure <time.cloudflare.com. AAAA IN>: no signatures from 162.159.4.8

If you have skynet installed, it could be blocking your access to root servers.

 

[tdashmike]

If you have skynet installed, it could be blocking your access to root servers.

Thanks for the reply. I do not have Skynet installed. I have unbound and pihole installed on merlin. I ended up just enabling ipv6 on my router and unbound and it's working fine now. It would still be nice to know how to get it working on only ipv4.

 

[SomeWhereOverTheRainBow]

Thanks for the reply. I do not have Skynet installed. I have unbound and pihole installed on merlin. I ended up just enabling ipv6 on my router and unbound and it's working fine now. It would still be nice to know how to get it working on only ipv4.

You could try a few options in your unbound.conf. Just to let you know it will also break any cross compatibility with ipv6, but that is the least of your concerns if you cannot resolve an AAAA response from an ipv4 root server. Otherwise idk; but here are the options:

do-ip6:no
do-ip4:yes
prefer-ip6:no
prefer-ip4:yes

happy testing!

 

[sfx2000]

AAAA records are for ipv6

 

[SomeWhereOverTheRainBow]

AAAA records are for ipv6

That doesn't mean that ipv4 will not try to resolve them if you don't disable it with the "do-ip6: no" option in the unbound config. case and point:

IPv6 is disabled on my router. Is there a way make these requests resolve without enabling IPv6?

19:19:36 unbound[3142:0] info: validation failure <wheels.home-assistant.io. AAAA IN>: no signatures from 172.64.32.124
19:11:17 unbound[3142:0] info: validation failure <checkonline.home-assistant.io. AAAA IN>: no signatures from 108.162.192.124
19:14:33 unbound[3142:0] error: SERVFAIL <updates.logitech.com. AAAA IN>: all servers for this domain failed, at zone updates.logitech.com. from 205.251.193.36 nodata answer
19:59:12 unbound[3142:0] info: validation failure <uptime.kuma.pet. AAAA IN>: no signatures from 173.245.59.106
20:19:54 unbound[3142:0] info: validation failure <time.cloudflare.com. AAAA IN>: no signatures from 162.159.4.8

 

[sfx2000]

That doesn't mean that ipv4 will not try to resolve them if you don't disable it with the do-ip6 option in the unbound config. case and point:

It's just an info log entry - it's just saying it cannot resolve an IPv6 addr...

Since OP has disabled IPv6, errors like this are expected...

 

[SomeWhereOverTheRainBow]

It's just an info log entry - it's just saying it cannot resolve an IPv6 addr...

Since OP has disabled IPv6, errors like this are expected...

obviously, and the reason to add "do-ip6:no", "prefer-ip6:no" and "prefer-ip4:yes" inside unbound.conf. Part of the default of unbound is to try both as if unbounds connection outward is a dual stack. ergo the reason for those options. The errors will go away if those options are set accordingly. You don't have to hand out ipv6 addresses to every client on the network inorder to run the router on a dual stack connection, but these logs are created when the OP eliminates that dualstack environment by choosing to completely disable ipv6 on the router.

 

[sfx2000]

Again - one can configure the client - e.g. "home-assistant.io"

Just saying - Not sure why folks are worried about ipv6 - it's a better internet...

 

[SomeWhereOverTheRainBow]

Again - one can configure the client - e.g. "home-assistant.io"

Just saying - Not sure why folks are worried about ipv6 - it's a better internet...

I personally believe when in dual-stack, dual-stack. But I cannot advocate for everyone else. I am just here to help per the OP's request.

 

[tdashmike]

You could try a few options in your unbound.conf. Just to let you know it will also break any cross compatibility with ipv6, but that is the least of your concerns if you cannot resolve an AAAA response from an ipv4 root server. Otherwise idk; but here are the options:

do-ip6:no
do-ip4:yes
prefer-ip6:no
prefer-ip4:yes

happy testing!

Thanks. I looked at the unbound config file and it does have the 2 options for do-ip but no entries for prefer. I guess there is no reason not to run both IPv4 and IPv6 so right now I won't spend the time to go back and test it.

do-ip4: yes
do-udp: yes
do-tcp: yes

#########################################
# integration IPV6
#
#do-ip6: no
#private-address: ::/0                                 # v1.11 Martineau Enhance '#do-ip6: no' i.e. explicitly drop ALL IPv6 responses
 do-ip6: yes
 edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.6166>
 interface: ::0
 access-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10
#########################################