#1558 `prosodyctl check` reports "unknown address" & "does not seem to resolve" errors, for existing IP & records

Reporter pgnd
Owner Nobody
Created
Updated
Stars ★★ (2)
Tags
  • Status-NeedInfo
  • Type-Defect
  • Priority-Medium
  1. pgnd on

    prosody installed from git ``` hg log -l1 changeset: 9792:8fcd46ee9bf5 branch: 0.11 bookmark: @ tag: tip user: Kim Alvefur <zash@zash.se> date: Fri May 15 21:22:35 2020 +0200 summary: mod_storage_internal: Fix error in time limited queries on items without 'when' field, fixes #1557 ``` prosody config, ``` prosody.cfg.lua http_external_url = "https://jitsi.example.com/" trusted_proxies = { "127.0.0.1", "10.1.1.100", } admins = { "admin@auth.jitsi.example.com" } use_libevent = true pidfile = "/run/prosody/prosody.pid" interfaces = { "127.0.0.1" } local_interfaces = { "127.0.0.1" } c2s_interfaces = { "127.0.0.1" } c2s_ports = { 5222 } component_interface = "127.0.0.1" component_ports = { 5347 } http_interfaces = {} http_ports = {} https_interfaces = { "127.0.0.1" } https_ports = { 5281 } legacy_ssl_ports = {} network_backend = "epoll" plugin_paths = {} modules_enabled = { "roster"; "saslauth"; "tls"; "dialback"; "disco"; "carbons"; "private"; "ping"; "register"; "admin_adhoc"; "admin_telnet"; } modules_disabled = {} allow_registration = false c2s_require_encryption = true s2s_require_encryption = true s2s_secure_auth = false s2s_insecure_domains = {} s2s_secure_domains = {} authentication = "internal_hashed" storage = "internal" log = { info = "prosody.log"; error = "prosody.err"; } statistics = "internal" ssl = { key = "/etc/jitsi/ssl/jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi.example.com.crt"; protocol = "tlsv1_2+"; } VirtualHost "jitsi.example.com" authentication = "anonymous" ssl = { key = "/etc/jitsi/ssl/jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi.example.com.crt"; protocol = "tlsv1_2+"; } modules_enabled = { "pubsub"; "websocket"; -- https://prosody.im/doc/websocket } c2s_require_encryption = true VirtualHost "auth.jitsi.example.com" authentication = "internal_plain" ssl = { key = "/etc/jitsi/ssl/auth.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/auth.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } Component "conference.jitsi.example.com" "muc" ssl = { key = "/etc/jitsi/ssl/conference.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/conference.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } Component "jitsi-videobridge.jitsi.example.com" ssl = { key = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } component_secret = "1111111111111" Component "focus.jitsi.example.com" ssl = { key = "/etc/jitsi/ssl/focus.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/focus.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } component_secret = "1111111111111" ``` prosody's up ``` telnet jitsi.example.com 5582 Trying 127.0.0.1... Connected to 127.0.0.1. | ____ \ / _ | _ \ _ __ ___ ___ _-_ __| |_ _ | |_) | '__/ _ \/ __|/ _ \ / _` | | | | | __/| | | (_) \__ \ |_| | (_| | |_| | |_| |_| \___/|___/\___/ \__,_|\__, | A study in simplicity |___/ port:list() | c2s: [127.0.0.1]:5222 | component: [127.0.0.1]:5347 | console: [127.0.0.1]:5582 | https: [127.0.0.1]:5281 | s2s: [127.0.0.1]:5269 | OK: 5 services listening on 5 ports ``` hosts resolve @ dns ``` dig +short A jitsi.example.com 127.0.0.1 dig +short A conference.jitsi.example.com 127.0.0.1 dig +short A jitsi-videobridge.jitsi.example.com 127.0.0.1 dig +short A auth.jitsi.example.com 127.0.0.1 dig +short A focus.jitsi.example.com 127.0.0.1 dig +short SRV _xmpp-client._tcp.example.com 0 5 5222 jitsi.example.com. dig +short SRV _xmpp-server._tcp.example.com 0 5 5269 jitsi.example.com. ``` checking returns ``` prosodyctl check Checking config... Done. Checking DNS for component conference.jitsi.example.com... conference.jitsi.example.com A record points to unknown address 127.0.0.1 Host conference.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for conference.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for component jitsi-videobridge.jitsi.example.com... jitsi-videobridge.jitsi.example.com A record points to unknown address 127.0.0.1 Host jitsi-videobridge.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for jitsi-videobridge.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for host auth.jitsi.example.com... auth.jitsi.example.com A record points to unknown address 127.0.0.1 Host auth.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for auth.jitsi.example.com appear to resolve to this server. Checking DNS for component focus.jitsi.example.com... focus.jitsi.example.com A record points to unknown address 127.0.0.1 Host focus.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for focus.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for host jitsi.example.com... jitsi.example.com A record points to unknown address 127.0.0.1 Host jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for jitsi.example.com appear to resolve to this server. For more information about DNS configuration please see https://prosody.im/doc/dns Checking certificates... Checking certificate for conference.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/conference.jitsi.example.com.crt Checking certificate for jitsi-videobridge.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/jitsi-videobridge.jitsi.example.com.crt Checking certificate for auth.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/auth.jitsi.example.com.crt Checking certificate for focus.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/focus.jitsi.example.com.crt Checking certificate for jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/jitsi.example.com.crt Problems found, see above. ``` "127.0.0.1" is a valid/known address DNS A/SRV records are in place what's causing this^ issue with `prosodyctl check`?

  2. Niklas Hambüchen on

    I found that `prosodyctl check` does not resolve `CNAME` records, it checks directly only for `A` and `AAAA` here: https://github.com/bjc/prosody/blob/0eedd1130fe9eb7379c427d1fa1a8f7e9e715a6f/util/prosodyctl/check.lua#L374-L425 This was the reason I got `does not seem to resolve to this server (IPv4/IPv6)` (I'm using CNAME records).

  3. Niklas Hambüchen on

    Related problem somebody else had: https://superuser.com/questions/1482659/prosody-xmpp-server-says-that-a-record-points-to-unknown-address

  4. Zash on

    There were many fixes and improvements in this are in 0.12.x, please upgrade and try there.

    Changes
    • tags Status-NeedInfo
  5. Zash on

    Interpreting the silence as

    Changes
    • tags Status-Fixed
  6. Niklas Hambüchen on

    @Zash Above I linked the exact code that's the problem and explained the reason. That code is still unchanged in Prosody `master`, and I see no addition of the word "CNAME" to the code. So I don't see how CNAME configurations could work. Maybe I'm missing something.

  7. MattJ on

    DNS clients never (generally) query for CNAMEs. They only query for A/AAAA (or whatever), and the DNS server will include the additional results in the response if a CNAME is used. See for example, https://superuser.com/a/1762668 We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution. As Zash mentioned, lots of things have changed - and those changes are sometimes at lower layers in the stack. So if the issue is still happening for you, it would be helpful to have a confirmation with the latest release, and the output of 'prosodyctl about', for example, so we know which DNS library is in use. We don't have a much time to spend on reproducing every minor issue that gets reported, which is why we ask for your help in this kind of thing. Thanks for your understanding!

    Changes
    • tags Status-NeedInfo
  8. Zash on

    > We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution. libunbound (via lua-unbound) transparently follows CNAMEs already, results should be identical to what you would see if there were no CNAMEs and the names pointed directly at A/AAAA Even the old DNS library follows CNAMEs since a long time: https://hg.prosody.im/trunk/rev/45222bfb206f

New comment

Not published. Used for spam prevention and optional update notifications.