Resolve hostname to IPv6 address in listen directive

Maxim Dounin mdounin at
Wed Aug 25 15:04:44 MSD 2010


On Wed, Aug 25, 2010 at 09:27:43AM +0200, Matthias-Christian Ott wrote:

> At the moment nignx does not allow IPv6 addresses to specified by
> hostname in a listen directive, that is the following will not work:
>   listen;
>   listen [];
>   listen ipv6only=on;
>   listen [] ipv6only=on;
> Though I see a potential security problem with hostnames here (this
> also applies to IPv4), because DNS replies can be manipulated if
> DNSSEC is not used, I think that this feature would be helpful and
> simplifies administration.

Note well: listen with hostname always uses *one* address returned 
by hostname lookup, the first one returned by gethostbyname().  It 
doesn't make sense to attempt to use it with hostname which 
resolves to multiple addresses.

> Given that resolves to an IPv4 and IPv6 address, simply
> binding to both addresses with the following directive would break
> backwards compatibility: listen;
> For backwards compatibility I propose the following to resolve the
> IPv6 addresses of a hostname and listen on them:
> a) listen ipv6only=on;
> b) listen [];
> Solution b) has the disadvantage that it doesn't conform to RFC 3986.

Both are bad.  Attribute ipv6only serves completely different 
purpose: it disables implicit mapping of ipv6 listen sockets to 
ipv4 (for OSes where such mapping is on by default), i.e. 
instructs nginx to do setsockopt(IPV6_V6ONLY) on listen socket.  
See for details.

I believe correct solution would be to make


to use ipv6 address if no ipv4 addresses were found.

Maxim Dounin

More information about the nginx-devel mailing list