IPv6 for iojs.org

[richardlau]

This originated from @ljharb via a Slack thread, and copied into a post in the build Slack channel.

hi folks! i’m seeing node 17 timing out trying to use http to contact iojs.org (context: https://openjs-foundation.slack.com/archives/C019Y2T6STH/p1638886184056500?thread_ts=1638728965.051700&cid=C019Y2T6STH)
it’s due to an ipv6 change in node, but it seems like perhaps it may be advertising an ipv6 address but not serving on it?

Node.js 17 switched off reordering IP lookups -- previously Node.js would always pick an IPv4 address from those returned but now by default (switchable via a command line flag --dns-result-order) respects the ordering returned from the underlying lookup and uses the first one. This means that if the IPv6 address is returned first that will be picked.

e.g. with Node.js 17.1.0, for iojs.org we're getting:

> dns.lookup('iojs.org', console.log)
GetAddrInfoReqWrap {
  callback: [Function: log],
  family: 0,
  hostname: 'iojs.org',
  oncomplete: [Function: onlookup]
}
> null 2604:a880:400:d0::b2c:a001 6

> dns.lookup('iojs.org', { all: true }, console.log)
GetAddrInfoReqWrap {
  callback: [Function: log],
  family: 0,
  hostname: 'iojs.org',
  oncomplete: [Function: onlookupall]
}
> null [
  { address: '2604:a880:400:d0::b2c:a001', family: 6 },
  { address: '138.197.224.240', family: 4 }
]

Without Node.js involved (on test-rackspace-fedora32-x64-1 as that host appears to have IPv6 connectivity):

[root@test-rackspace-fedora32-x64-1 tmp]# wget https://iojs.org/dist/index.tab --no-hsts -6
--2021-12-08 12:39:55--  https://iojs.org/dist/index.tab
Resolving iojs.org (iojs.org)... 2604:a880:400:d0::b2c:a001
Connecting to iojs.org (iojs.org)|2604:a880:400:d0::b2c:a001|:443... failed: Connection timed out.
Retrying.

compare to fetching from nodejs.org via IPv6:

[root@test-rackspace-fedora32-x64-1 tmp]# wget https://nodejs.org/dist/index.tab --no-hsts -6
--2021-12-08 13:11:16--  https://nodejs.org/dist/index.tab
Resolving nodejs.org (nodejs.org)... 2606:4700:10::6814:162e, 2606:4700:10::6814:172e
Connecting to nodejs.org (nodejs.org)|2606:4700:10::6814:162e|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘index.tab’

index.tab                                  [  <=>                                                                        ] 132.57K   499KB/s    in 0.3s

2021-12-08 13:11:17 (499 KB/s) - ‘index.tab’ saved [135752]

[root@test-rackspace-fedora32-x64-1 tmp]#

I had a look at the Digital Ocean droplet and the iojs.org and nodejs.org Cloudflare DNS settings and the IPv6 for the droplet with IPv4 address 138.197.224.240 (i.e. our www server) doesn't match the IPv6 address set in Cloudflare for the AAAA records for both iojs.org and nodejs.org (there is a difference in that the nodejs.org AAAA record in Cloudflare is proxied). I think what has happened is the droplet was moved a few years ago (#1680 and libuv/libuv#2178, note the libuv issue referencing the 2604:a880:400:d0::b2c:a001 that iojs.org resolves to) and Cloudflare doesn't have floating IP addresses for IPv6 so the IPv6 address of the droplet is now different.

I think the correct thing to do is to update the AAAA record in Cloudflare to the current IPv6 address of the droplet (maybe with proxying turned on?). Although that then make me confused as to how the nodejs.org set up is currently working as it looks like Cloudflare should be proxying to the same old/invalid IPv6 address.

cc @nodejs/build-infra

[richardlau]

I'll try swapping out the IPv6 address for iojs.org in Cloudflare in a couple of hours once I'm out of meetings.

[richardlau]

I've changed the IPv6 address for the two AAAA records in Cloudflare for iojs.org (iojs.org and www) and also turned on proxying. AFAICT this is now working (cc @ljharb):

[root@test-rackspace-fedora32-x64-1 tmp]# wget https://iojs.org/dist/index.tab --no-hsts -6
--2021-12-08 15:56:47--  https://iojs.org/dist/index.tab
Resolving iojs.org (iojs.org)... 2606:4700:3033::ac43:a3fc, 2606:4700:3034::6815:5b06
Connecting to iojs.org (iojs.org)|2606:4700:3033::ac43:a3fc|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘index.tab’

index.tab                                  [ <=>                                                                         ]   7.22K  --.-KB/s    in 0s

2021-12-08 15:56:47 (26.4 MB/s) - ‘index.tab’ saved [7395]

[root@test-rackspace-fedora32-x64-1 tmp]#

(The IPv6 address in the output above is the Cloudflare proxy address and not the IPv6 of the droplet.)

One possible explanation as to why IPv6 to nodejs.org is working despite having the old IPv6 address set as the AAAA record for nodejs.org is because we're also using Cloudflare load balancing for nodejs.org.

[ljharb]

Confirmed, everything works great in node 17! Thank you!

[richardlau]

I've gone ahead and updated the AAAA record in Cloudflare for nodejs.org (it's still proxied). AFAICT IPv6 to nodejs.org is still working:

[root@test-rackspace-fedora32-x64-1 tmp]# wget https://nodejs.org/dist/index.tab --no-hsts -6
--2021-12-08 17:32:23--  https://nodejs.org/dist/index.tab
Resolving nodejs.org (nodejs.org)... 2606:4700:10::6814:172e, 2606:4700:10::6814:162e
Connecting to nodejs.org (nodejs.org)|2606:4700:10::6814:172e|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘index.tab’

index.tab                                  [ <=>                                                                         ] 132.57K  --.-KB/s    in 0.006s

2021-12-08 17:32:24 (22.1 MB/s) - ‘index.tab’ saved [135752]

[root@test-rackspace-fedora32-x64-1 tmp]#