Problem setting AAAA record to "::ffff:7f00:1" (HTTP error 500 on API and UI)

DNSeditor · November 21, 2020, 11:41pm

Hi everyone,

I am trying to bulk create records for new domains. I spent about an hour to debug the API call given below which always gave me an HTTP error 500 until I realized that the request works if I remove the AAAA record. Setting the corresonding AAAA record using the WebUI doesn’t work as well. As far as I understand the IPv6 adress is perfectly valid. Also the expanded versions 0:0:0:0:0:ffff:7f00:1 and 0000:0000:0000:0000:0000:FFFF:7F00:0001 don’t work and give a HTTP error 500 using the WebUI.

Hope someone can help me with that!

curl -X PUT https://desec.io/api/v1/domains/<domain.de>/rrsets/ \
    --header "Authorization: Token mySecretToken" \
    --header "Content-Type: application/json" -d @- << EOF 
[
  {"domain": "<domain.de>","subname": "www", "type": "A", "ttl": 3600, "records": ["84.19.1.228"]},
  {"domain": "<domain.de>","subname": "www", "type": "AAAA", "ttl": 3600, "records": ["::ffff:7f00:1"]},
  {"domain": "<domain.de>","subname": "mail", "type": "A", "ttl": 3600, "records": ["84.19.1.228"]},
  {"domain": "<domain.de>","subname": "", "type": "MX", "ttl": 3600, "records": ["10 mail.9jj.de."]}
]
EOF

fiwswe · November 22, 2020, 10:27am

Hi DNSeditor!

Well, the address is in the range of ::ffff:0:0/96 making it a reserved IPv6 address. See Reserved IP addresses - Wikipedia or RFC 5156 - Special-Use IPv6 Addresses

Maybe deSEC is checking for reserved values and preventing you from using them?

HTH

fiwswe

peter · November 23, 2020, 3:32pm

Hi DNSeditor,

Thank you for your report, and welcome to deSEC!

In fact, what you are facing is a bug. It turns out that our internal input validation translates IP addresses prefixed with 0:0:0:0:0:0: or 0:0:0:0:0:ffff: into “alternate text format” such as ::ffff:127.0.0.1 (see RFC 3513 Section 2.2 Number 3). It turns out that our backend nameserver does not understand that format.

IP addresses with such prefixes are indeed somewhat of an edge case, but we do intend to support them. We’re working on a fix; you can track progress here: https://github.com/desec-io/desec-stack/issues/481

Stay secure,
Peter