#1558 `prosodyctl check` reports "unknown address" & "does not seem to resolve" errors, for existing IP & records
Reporter
pgnd
Owner
Nobody
Created
Updated
Stars
★★ (2)
Tags
Status-NeedInfo
Type-Defect
Priority-Medium
pgnd
on
prosody installed from git
```
hg log -l1
changeset: 9792:8fcd46ee9bf5
branch: 0.11
bookmark: @
tag: tip
user: Kim Alvefur <zash@zash.se>
date: Fri May 15 21:22:35 2020 +0200
summary: mod_storage_internal: Fix error in time limited queries on items without 'when' field, fixes #1557
```
prosody config,
```
prosody.cfg.lua
http_external_url = "https://jitsi.example.com/"
trusted_proxies = { "127.0.0.1", "10.1.1.100", }
admins = { "admin@auth.jitsi.example.com" }
use_libevent = true
pidfile = "/run/prosody/prosody.pid"
interfaces = { "127.0.0.1" }
local_interfaces = { "127.0.0.1" }
c2s_interfaces = { "127.0.0.1" }
c2s_ports = { 5222 }
component_interface = "127.0.0.1"
component_ports = { 5347 }
http_interfaces = {}
http_ports = {}
https_interfaces = { "127.0.0.1" }
https_ports = { 5281 }
legacy_ssl_ports = {}
network_backend = "epoll"
plugin_paths = {}
modules_enabled = {
"roster";
"saslauth";
"tls";
"dialback";
"disco";
"carbons";
"private";
"ping";
"register";
"admin_adhoc";
"admin_telnet";
}
modules_disabled = {}
allow_registration = false
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = false
s2s_insecure_domains = {}
s2s_secure_domains = {}
authentication = "internal_hashed"
storage = "internal"
log = {
info = "prosody.log";
error = "prosody.err";
}
statistics = "internal"
ssl = {
key = "/etc/jitsi/ssl/jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
VirtualHost "jitsi.example.com"
authentication = "anonymous"
ssl = {
key = "/etc/jitsi/ssl/jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
modules_enabled = {
"pubsub";
"websocket"; -- https://prosody.im/doc/websocket
}
c2s_require_encryption = true
VirtualHost "auth.jitsi.example.com"
authentication = "internal_plain"
ssl = {
key = "/etc/jitsi/ssl/auth.jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/auth.jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
Component "conference.jitsi.example.com" "muc"
ssl = {
key = "/etc/jitsi/ssl/conference.jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/conference.jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
Component "jitsi-videobridge.jitsi.example.com"
ssl = {
key = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
component_secret = "1111111111111"
Component "focus.jitsi.example.com"
ssl = {
key = "/etc/jitsi/ssl/focus.jitsi.example.com.key";
certificate = "/etc/jitsi/ssl/focus.jitsi.example.com.crt";
protocol = "tlsv1_2+";
}
component_secret = "1111111111111"
```
prosody's up
```
telnet jitsi.example.com 5582
Trying 127.0.0.1...
Connected to 127.0.0.1.
| ____ \ / _
| _ \ _ __ ___ ___ _-_ __| |_ _
| |_) | '__/ _ \/ __|/ _ \ / _` | | | |
| __/| | | (_) \__ \ |_| | (_| | |_| |
|_| |_| \___/|___/\___/ \__,_|\__, |
A study in simplicity |___/
port:list()
| c2s: [127.0.0.1]:5222
| component: [127.0.0.1]:5347
| console: [127.0.0.1]:5582
| https: [127.0.0.1]:5281
| s2s: [127.0.0.1]:5269
| OK: 5 services listening on 5 ports
```
hosts resolve @ dns
```
dig +short A jitsi.example.com
127.0.0.1
dig +short A conference.jitsi.example.com
127.0.0.1
dig +short A jitsi-videobridge.jitsi.example.com
127.0.0.1
dig +short A auth.jitsi.example.com
127.0.0.1
dig +short A focus.jitsi.example.com
127.0.0.1
dig +short SRV _xmpp-client._tcp.example.com
0 5 5222 jitsi.example.com.
dig +short SRV _xmpp-server._tcp.example.com
0 5 5269 jitsi.example.com.
```
checking returns
```
prosodyctl check
Checking config...
Done.
Checking DNS for component conference.jitsi.example.com...
conference.jitsi.example.com A record points to unknown address 127.0.0.1
Host conference.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6)
No targets for conference.jitsi.example.com appear to resolve to this server.
DNS records are necessary if you want users on other servers to access this component.
Checking DNS for component jitsi-videobridge.jitsi.example.com...
jitsi-videobridge.jitsi.example.com A record points to unknown address 127.0.0.1
Host jitsi-videobridge.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6)
No targets for jitsi-videobridge.jitsi.example.com appear to resolve to this server.
DNS records are necessary if you want users on other servers to access this component.
Checking DNS for host auth.jitsi.example.com...
auth.jitsi.example.com A record points to unknown address 127.0.0.1
Host auth.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6)
No targets for auth.jitsi.example.com appear to resolve to this server.
Checking DNS for component focus.jitsi.example.com...
focus.jitsi.example.com A record points to unknown address 127.0.0.1
Host focus.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6)
No targets for focus.jitsi.example.com appear to resolve to this server.
DNS records are necessary if you want users on other servers to access this component.
Checking DNS for host jitsi.example.com...
jitsi.example.com A record points to unknown address 127.0.0.1
Host jitsi.example.com does not seem to resolve to this server (IPv4/IPv6)
No targets for jitsi.example.com appear to resolve to this server.
For more information about DNS configuration please see https://prosody.im/doc/dns
Checking certificates...
Checking certificate for conference.jitsi.example.com
Certificate: /usr/local/etc/JITSI/ssl/conference.jitsi.example.com.crt
Checking certificate for jitsi-videobridge.jitsi.example.com
Certificate: /usr/local/etc/JITSI/ssl/jitsi-videobridge.jitsi.example.com.crt
Checking certificate for auth.jitsi.example.com
Certificate: /usr/local/etc/JITSI/ssl/auth.jitsi.example.com.crt
Checking certificate for focus.jitsi.example.com
Certificate: /usr/local/etc/JITSI/ssl/focus.jitsi.example.com.crt
Checking certificate for jitsi.example.com
Certificate: /usr/local/etc/JITSI/ssl/jitsi.example.com.crt
Problems found, see above.
```
"127.0.0.1" is a valid/known address
DNS A/SRV records are in place
what's causing this^ issue with `prosodyctl check`?
There were many fixes and improvements in this are in 0.12.x, please upgrade and try there.
Changes
tags Status-NeedInfo
Zash
on
Interpreting the silence as
Changes
tags Status-Fixed
Niklas Hambüchen
on
@Zash Above I linked the exact code that's the problem and explained the reason.
That code is still unchanged in Prosody `master`, and I see no addition of the word "CNAME" to the code.
So I don't see how CNAME configurations could work. Maybe I'm missing something.
MattJ
on
DNS clients never (generally) query for CNAMEs. They only query for A/AAAA (or whatever), and the DNS server will include the additional results in the response if a CNAME is used. See for example, https://superuser.com/a/1762668
We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution. As Zash mentioned, lots of things have changed - and those changes are sometimes at lower layers in the stack.
So if the issue is still happening for you, it would be helpful to have a confirmation with the latest release, and the output of 'prosodyctl about', for example, so we know which DNS library is in use.
We don't have a much time to spend on reproducing every minor issue that gets reported, which is why we ask for your help in this kind of thing. Thanks for your understanding!
Changes
tags Status-NeedInfo
Zash
on
> We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution.
libunbound (via lua-unbound) transparently follows CNAMEs already, results should be identical to what you would see if there were no CNAMEs and the names pointed directly at A/AAAA
Even the old DNS library follows CNAMEs since a long time: https://hg.prosody.im/trunk/rev/45222bfb206f
prosody installed from git ``` hg log -l1 changeset: 9792:8fcd46ee9bf5 branch: 0.11 bookmark: @ tag: tip user: Kim Alvefur <zash@zash.se> date: Fri May 15 21:22:35 2020 +0200 summary: mod_storage_internal: Fix error in time limited queries on items without 'when' field, fixes #1557 ``` prosody config, ``` prosody.cfg.lua http_external_url = "https://jitsi.example.com/" trusted_proxies = { "127.0.0.1", "10.1.1.100", } admins = { "admin@auth.jitsi.example.com" } use_libevent = true pidfile = "/run/prosody/prosody.pid" interfaces = { "127.0.0.1" } local_interfaces = { "127.0.0.1" } c2s_interfaces = { "127.0.0.1" } c2s_ports = { 5222 } component_interface = "127.0.0.1" component_ports = { 5347 } http_interfaces = {} http_ports = {} https_interfaces = { "127.0.0.1" } https_ports = { 5281 } legacy_ssl_ports = {} network_backend = "epoll" plugin_paths = {} modules_enabled = { "roster"; "saslauth"; "tls"; "dialback"; "disco"; "carbons"; "private"; "ping"; "register"; "admin_adhoc"; "admin_telnet"; } modules_disabled = {} allow_registration = false c2s_require_encryption = true s2s_require_encryption = true s2s_secure_auth = false s2s_insecure_domains = {} s2s_secure_domains = {} authentication = "internal_hashed" storage = "internal" log = { info = "prosody.log"; error = "prosody.err"; } statistics = "internal" ssl = { key = "/etc/jitsi/ssl/jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi.example.com.crt"; protocol = "tlsv1_2+"; } VirtualHost "jitsi.example.com" authentication = "anonymous" ssl = { key = "/etc/jitsi/ssl/jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi.example.com.crt"; protocol = "tlsv1_2+"; } modules_enabled = { "pubsub"; "websocket"; -- https://prosody.im/doc/websocket } c2s_require_encryption = true VirtualHost "auth.jitsi.example.com" authentication = "internal_plain" ssl = { key = "/etc/jitsi/ssl/auth.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/auth.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } Component "conference.jitsi.example.com" "muc" ssl = { key = "/etc/jitsi/ssl/conference.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/conference.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } Component "jitsi-videobridge.jitsi.example.com" ssl = { key = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/jitsi-videobridge.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } component_secret = "1111111111111" Component "focus.jitsi.example.com" ssl = { key = "/etc/jitsi/ssl/focus.jitsi.example.com.key"; certificate = "/etc/jitsi/ssl/focus.jitsi.example.com.crt"; protocol = "tlsv1_2+"; } component_secret = "1111111111111" ``` prosody's up ``` telnet jitsi.example.com 5582 Trying 127.0.0.1... Connected to 127.0.0.1. | ____ \ / _ | _ \ _ __ ___ ___ _-_ __| |_ _ | |_) | '__/ _ \/ __|/ _ \ / _` | | | | | __/| | | (_) \__ \ |_| | (_| | |_| | |_| |_| \___/|___/\___/ \__,_|\__, | A study in simplicity |___/ port:list() | c2s: [127.0.0.1]:5222 | component: [127.0.0.1]:5347 | console: [127.0.0.1]:5582 | https: [127.0.0.1]:5281 | s2s: [127.0.0.1]:5269 | OK: 5 services listening on 5 ports ``` hosts resolve @ dns ``` dig +short A jitsi.example.com 127.0.0.1 dig +short A conference.jitsi.example.com 127.0.0.1 dig +short A jitsi-videobridge.jitsi.example.com 127.0.0.1 dig +short A auth.jitsi.example.com 127.0.0.1 dig +short A focus.jitsi.example.com 127.0.0.1 dig +short SRV _xmpp-client._tcp.example.com 0 5 5222 jitsi.example.com. dig +short SRV _xmpp-server._tcp.example.com 0 5 5269 jitsi.example.com. ``` checking returns ``` prosodyctl check Checking config... Done. Checking DNS for component conference.jitsi.example.com... conference.jitsi.example.com A record points to unknown address 127.0.0.1 Host conference.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for conference.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for component jitsi-videobridge.jitsi.example.com... jitsi-videobridge.jitsi.example.com A record points to unknown address 127.0.0.1 Host jitsi-videobridge.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for jitsi-videobridge.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for host auth.jitsi.example.com... auth.jitsi.example.com A record points to unknown address 127.0.0.1 Host auth.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for auth.jitsi.example.com appear to resolve to this server. Checking DNS for component focus.jitsi.example.com... focus.jitsi.example.com A record points to unknown address 127.0.0.1 Host focus.jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for focus.jitsi.example.com appear to resolve to this server. DNS records are necessary if you want users on other servers to access this component. Checking DNS for host jitsi.example.com... jitsi.example.com A record points to unknown address 127.0.0.1 Host jitsi.example.com does not seem to resolve to this server (IPv4/IPv6) No targets for jitsi.example.com appear to resolve to this server. For more information about DNS configuration please see https://prosody.im/doc/dns Checking certificates... Checking certificate for conference.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/conference.jitsi.example.com.crt Checking certificate for jitsi-videobridge.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/jitsi-videobridge.jitsi.example.com.crt Checking certificate for auth.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/auth.jitsi.example.com.crt Checking certificate for focus.jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/focus.jitsi.example.com.crt Checking certificate for jitsi.example.com Certificate: /usr/local/etc/JITSI/ssl/jitsi.example.com.crt Problems found, see above. ``` "127.0.0.1" is a valid/known address DNS A/SRV records are in place what's causing this^ issue with `prosodyctl check`?
I found that `prosodyctl check` does not resolve `CNAME` records, it checks directly only for `A` and `AAAA` here: https://github.com/bjc/prosody/blob/0eedd1130fe9eb7379c427d1fa1a8f7e9e715a6f/util/prosodyctl/check.lua#L374-L425 This was the reason I got `does not seem to resolve to this server (IPv4/IPv6)` (I'm using CNAME records).
Related problem somebody else had: https://superuser.com/questions/1482659/prosody-xmpp-server-says-that-a-record-points-to-unknown-address
There were many fixes and improvements in this are in 0.12.x, please upgrade and try there.
ChangesInterpreting the silence as
Changes@Zash Above I linked the exact code that's the problem and explained the reason. That code is still unchanged in Prosody `master`, and I see no addition of the word "CNAME" to the code. So I don't see how CNAME configurations could work. Maybe I'm missing something.
DNS clients never (generally) query for CNAMEs. They only query for A/AAAA (or whatever), and the DNS server will include the additional results in the response if a CNAME is used. See for example, https://superuser.com/a/1762668 We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution. As Zash mentioned, lots of things have changed - and those changes are sometimes at lower layers in the stack. So if the issue is still happening for you, it would be helpful to have a confirmation with the latest release, and the output of 'prosodyctl about', for example, so we know which DNS library is in use. We don't have a much time to spend on reproducing every minor issue that gets reported, which is why we ask for your help in this kind of thing. Thanks for your understanding!
Changes> We have switched to a new DNS library since this issue was originally reported. It's very possible that it could automatically perform the CNAME resolution. libunbound (via lua-unbound) transparently follows CNAMEs already, results should be identical to what you would see if there were no CNAMEs and the names pointed directly at A/AAAA Even the old DNS library follows CNAMEs since a long time: https://hg.prosody.im/trunk/rev/45222bfb206f