Problem setting AAAA record to "::ffff:7f00:1" (HTTP error 500 on API and UI)

Hi everyone,

I am trying to bulk create records for new domains. I spent about an hour to debug the API call given below which always gave me an HTTP error 500 until I realized that the request works if I remove the AAAA record. Setting the corresonding AAAA record using the WebUI doesn’t work as well. As far as I understand the IPv6 adress is perfectly valid. Also the expanded versions 0:0:0:0:0:ffff:7f00:1 and 0000:0000:0000:0000:0000:FFFF:7F00:0001 don’t work and give a HTTP error 500 using the WebUI.

Hope someone can help me with that!

curl -X PUT https://desec.io/api/v1/domains/<domain.de>/rrsets/ \
    --header "Authorization: Token mySecretToken" \
    --header "Content-Type: application/json" -d @- << EOF 
[
  {"domain": "<domain.de>","subname": "www", "type": "A", "ttl": 3600, "records": ["84.19.1.228"]},
  {"domain": "<domain.de>","subname": "www", "type": "AAAA", "ttl": 3600, "records": ["::ffff:7f00:1"]},
  {"domain": "<domain.de>","subname": "mail", "type": "A", "ttl": 3600, "records": ["84.19.1.228"]},
  {"domain": "<domain.de>","subname": "", "type": "MX", "ttl": 3600, "records": ["10 mail.9jj.de."]}
]
EOF

Hi DNSeditor!

Well, the address is in the range of ::ffff:0:0/96 making it a reserved IPv6 address. See https://en.wikipedia.org/wiki/Reserved_IP_addresses or https://tools.ietf.org/html/rfc5156#section-2.2

Maybe deSEC is checking for reserved values and preventing you from using them?

HTH

fiwswe

Hi DNSeditor,

Thank you for your report, and welcome to deSEC!

In fact, what you are facing is a bug. It turns out that our internal input validation translates IP addresses prefixed with 0:0:0:0:0:0: or 0:0:0:0:0:ffff: into “alternate text format” such as ::ffff:127.0.0.1 (see RFC 3513 Section 2.2 Number 3). It turns out that our backend nameserver does not understand that format.

IP addresses with such prefixes are indeed somewhat of an edge case, but we do intend to support them. We’re working on a fix; you can track progress here: https://github.com/desec-io/desec-stack/issues/481

Stay secure,
Peter