Resolve hostname to IPv6 address in listen directive

Maxim Dounin mdounin at mdounin.ru
Wed Aug 25 15:04:44 MSD 2010


Hello!

On Wed, Aug 25, 2010 at 09:27:43AM +0200, Matthias-Christian Ott wrote:

> At the moment nignx does not allow IPv6 addresses to specified by
> hostname in a listen directive, that is the following will not work:
> 
>   listen ipv6.example.com;
>   listen [ipv6.example.com];
>   listen ipv6.example.com ipv6only=on;
>   listen [ipv6.example.com] ipv6only=on;
> 
> Though I see a potential security problem with hostnames here (this
> also applies to IPv4), because DNS replies can be manipulated if
> DNSSEC is not used, I think that this feature would be helpful and
> simplifies administration.

Note well: listen with hostname always uses *one* address returned 
by hostname lookup, the first one returned by gethostbyname().  It 
doesn't make sense to attempt to use it with hostname which 
resolves to multiple addresses.

> Given that example.com resolves to an IPv4 and IPv6 address, simply
> binding to both addresses with the following directive would break
> backwards compatibility: listen example.com;
> 
> For backwards compatibility I propose the following to resolve the
> IPv6 addresses of a hostname and listen on them:
> 
> a) listen example.com ipv6only=on;
> 
> b) listen [example.com];
> 
> Solution b) has the disadvantage that it doesn't conform to RFC 3986.

Both are bad.  Attribute ipv6only serves completely different 
purpose: it disables implicit mapping of ipv6 listen sockets to 
ipv4 (for OSes where such mapping is on by default), i.e. 
instructs nginx to do setsockopt(IPV6_V6ONLY) on listen socket.  
See http://tools.ietf.org/html/rfc3493#section-5.3 for details.

I believe correct solution would be to make

    listen example.com;

to use ipv6 address if no ipv4 addresses were found.

Maxim Dounin



More information about the nginx-devel mailing list