From owner-freebsd-questions@freebsd.org  Mon Oct  5 10:30:15 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 718FE99AB2B
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon,  5 Oct 2015 10:30:15 +0000 (UTC)
 (envelope-from niklaas@kulturflatrate.net)
Received: from mail2.kulturflatrate.net (mail2.kulturflatrate.net
 [IPv6:2a01:4f8:121:52ad::3:1])
 by mx1.freebsd.org (Postfix) with ESMTP id 3AC1B6CD
 for <freebsd-questions@freebsd.org>; Mon,  5 Oct 2015 10:30:15 +0000 (UTC)
 (envelope-from niklaas@kulturflatrate.net)
Received: from [10.0.0.38] (unknown [IPv6:2a01:488:66:1000:2ea3:77dd:0:1])
 (Authenticated sender: niklaas@kulturflatrate.net)
 by mail2.kulturflatrate.net (Postfix) with ESMTPSA id 34FB22D36D;
 Mon,  5 Oct 2015 10:16:23 +0200 (CEST)
Subject: Re: IPv6 only Jails cannot connect to the outside world
To: freebsd-questions@freebsd.org
References: <5611AFCA.4010909@kulturflatrate.net>
 <CA+tpaK0fyqEvc3kWMfhD9teogTG8euWfqEn1szmUhYXQ5e_UCg@mail.gmail.com>
 <5611CA44.4030602@radel.com>
From: Niklaas Baudet von Gersdorff <niklaas@kulturflatrate.net>
X-Enigmail-Draft-Status: N1110
Cc: Jon Radel <jon@radel.com>, Adam Vande More <amvandemore@gmail.com>
Message-ID: <56123260.1010901@kulturflatrate.net>
Date: Mon, 5 Oct 2015 10:18:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <5611CA44.4030602@radel.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 10:30:15 -0000

On 05/10/15 02:54, Jon Radel wrote:
> On 10/4/15 7:15 PM, Adam Vande More wrote:
>> You haven't demonstrated IPv6 doesn't work.  You've only demonstrated
>> name
>> resolution on an IPv6 jail doesn't work.

OK. I can make a DNS lookup but get the same error message as in my
original mail:

> root@ipv6only:~ # drill google.com AAAA
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61714
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
> ;; QUESTION SECTION:
> ;; google.com.  IN      AAAA
> 
> ;; ANSWER SECTION:
> google.com.     139     IN      AAAA    2a00:1450:4001:801::1006
> 
> ;; AUTHORITY SECTION:
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 0 msec
> ;; SERVER: 2a01:4f8:0:a111::add:9898
> ;; WHEN: Mon Oct  5 07:34:06 2015
> ;; MSG SIZE  rcvd: 56
> root@ipv6only:~ # telnet google.com 80
> google.com: hostname nor servname provided, or not known

But, you're right, my IPv6 connectivity actually works:

> root@ipv6only:~ # telnet -6 2a00:1450:4001:801::1006 80
> Trying 2a00:1450:4001:801::1006...
> Connected to 2a00:1450:4001:801::1006.
> Escape character is '^]'

Now to the /etc/resolv.conf as mentioned by Jon:

> To expand on Adam's observation, I use an IPv6-only (well it does have
> an IPv4 loopback address) jail on an otherwise dual-stacked machine,
> using ezjail and it works fine.  Of course
> 
> root@mns:~ # cat /etc/resolv.conf
> search radel.com
> nameserver 2001:4830:1707:5237::10:1
> nameserver 2001:470:880a:5237::7:1
> options edns0 timeout:1
> root@mns:~ #

My resolv.conf in every jail:

> root@ipv6only:~ # cat /etc/resolv.conf
> search financecomm.com
> nameserver 213.133.98.98
> nameserver 213.133.99.99
> nameserver 213.133.100.100
> nameserver 2a01:4f8:0:a0a1::add:1010
> nameserver 2a01:4f8:0:a102::add:9999
> nameserver 2a01:4f8:0:a111::add:9898

So, as you can see, I also have IPv4 and IPv6 nameservers in my resolv.conf.

> I don't bother mentioning ipv4 resolvers in resolv.conf, but the end
> result is that the test you were trying works fine:
> 
> root@mns:~ # telnet google.com 80
> Trying 2607:f8b0:4004:807::1006...
> Connected to google.com.
> Escape character is '^]'.
> blort
> HTTP/1.0 400 Bad Request
> <snip>

As in my original email, the above test I cannot confirm.

Mentioning /etc/resolv.conf made me trying something else: I removed the
IPv4 nameservers in it:

> root@ipv6only:~ # cat /etc/resolv.conf
> search financecomm.com
> nameserver 2a01:4f8:0:a0a1::add:1010
> nameserver 2a01:4f8:0:a102::add:9999
> nameserver 2a01:4f8:0:a111::add:9898

And now my test works:

> root@ipv6only:~ # telnet google.com 80
> Trying 2a00:1450:4001:80d::100e...
> Connected to google.com.
> Escape character is '^]'

Thus it seems that, in an IPv6 only jail, I may not list IPv4
nameservers in /etc/resolv.conf because otherwise I get the weird error
that it cannot resolve the hostname although it actually can? Is that
intended?

Probably I'm missing something.

-- 
Niklaas