Date: Thu, 10 Jan 2013 01:55:16 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: ben@morrow.me.uk Cc: freebsd-stable@FreeBSD.org Subject: Re: sendmail vs ipv6 broken after upgrade to 9.1 Message-ID: <20130110.015516.1722722242677856001.hrs@allbsd.org> In-Reply-To: <20130109154435.GA81164@anubis.morrow.me.uk> References: <20130108180920.GJ36633@rugsucker.smi.sendmail.com> <20130109.072935.595111158363526981.hrs@allbsd.org> <20130109154435.GA81164@anubis.morrow.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ben Morrow <ben@morrow.me.uk> wrote in <20130109154435.GA81164@anubis.morrow.me.uk>: be> So getipnodebyname is behaving correctly here: the host has both IPv4 be> and IPv6 addresses, and Sendmail is requesting both native and v4-mapped be> addresses be returned in all cases. The v4-mapped addresses are then be> sorted to the top of the list. be> be> On FreeBSD, where net.inet6.ip6.v6only is on by default, I believe this be> is incorrect, and Sendmail should be passing 0 for the flags argument, be> unless it's going to check or clear the IPV6_V6ONLY socket option. There be> is no point binding a socket to a v4-mapped address if the kernel isn't be> going to deliver IPv4 connections to it. Sendmail should also be binding be> to all the addresses returned, if it isn't already, rather than just the be> first: this would make the problem go away, since both v4-mapped and be> native IPv6 sockets would be bound, and the v4-mapped ones would simply be> never get any connections. I reread the RFC 2553 and realize your explanation is correct. gshapiro's explanation was a behavior in the case of (AF_INET6, AI_DEFAULT), not (AF_INET6, AI_DEFAULT|AI_ALL). I think sendmail should work regardless of net.inet6.ip6.v6only. Is just dropping AI_ALL enough for that? When AAAA RR is found, no v4-mapped address will return in that case. Is this correct? be> Fixing this by setting ipv6_prefer is not necessarily a good idea; this be> will cause IPv6 addresses to be preferred across the whole system, and be> unless your IPv6 connectivity is at least as good as your IPv4, that be> probably isn't what you want. Yes, I agree that ipv6_prefer is not a correct way to solve this specific issue. be> > Just curious, but is there any specific reason not to return an error be> > when Family=inet6 and no AAAA RR? be> be> In this case, Sendmail explicitly requested that v4-mapped addresses be be> returned in all cases... -- Hiroki ----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlDtoPQACgkQTyzT2CeTzy3Z2wCfRjFlwaISqfVUSfmg5+NgLRHc fQYAn1OPl087ck16Ge0s47plPfSUItcd =Rvme -----END PGP SIGNATURE----- ----Security_Multipart(Thu_Jan_10_01_55_16_2013_317)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130110.015516.1722722242677856001.hrs>