Bug#971523: ntpsec-ntpdate: ntpdate fail if DNS name for server resolve to IPv6

[Petter Reinholdtsen]

PackagE: ntpsec-ntpdate
Version: 1.1.3+dfsg1-2+deb10u1
Severity: important

I ran into this using Maemo Leste, which uses Buster packages, but the
problem seem to exist also in Debian. The problem is simply that when
ntpdate from ntpsec-ntpdate is given a list of DNS names where some of
them resolve to IPv6 addresses, on a machine where IPv6 is not working,
ntpdate will fail completely even if several of the hosts behind the DNS
names are working fine. It can look like this:

root@devuan-n900:~# /usr/sbin/ntpdate -b 0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
ntpdig: socket error on transmission: [Errno 101] Network is unreachable
root@devuan-n900:~# route -n

I've verified using strace that one of the IPv6 addresses causes the
problem. When trying the same with the ntpdate version in the ntpdate
1.1.3+dfsg1-2+deb10u1 package, the same command line work.

I found <URL: https://bugs.debian.org/293793 > with a patch for ntpdate
to solve what seem to be this exact problem, applied 15 years ago.
Could it be that this approach will solve the issue also for
ntpsec-ntpdate?

--
Happy hacking
Petter Reinholdtsen

[Petter Reinholdtsen]

[Richard Laager]
> What does this output:
> ntpdig -d 0.debian.pool.ntp.org 1.debian.pool.ntp.org \
> 2.debian.pool.ntp.org 3.debian.pool.ntp.org

ntpdig: querying 162.159.200.1 (0.debian.pool.ntp.org)
ntpdig: querying 95.216.142.52 (0.debian.pool.ntp.org)
ntpdig: querying 62.236.120.71 (0.debian.pool.ntp.org)
ntpdig: querying 95.216.154.135 (0.debian.pool.ntp.org)
ntpdig: querying 95.216.24.230 (1.debian.pool.ntp.org)
ntpdig: querying 95.216.238.58 (1.debian.pool.ntp.org)
ntpdig: querying 95.216.160.182 (1.debian.pool.ntp.org)
ntpdig: querying 194.100.206.70 (1.debian.pool.ntp.org)
ntpdig: querying 162.159.200.123 (2.debian.pool.ntp.org)
ntpdig: querying 79.160.13.250 (2.debian.pool.ntp.org)
ntpdig: querying 37.44.185.42 (2.debian.pool.ntp.org)
ntpdig: querying 185.41.243.43 (2.debian.pool.ntp.org)
ntpdig: querying 2001:67c:558::43 (2.debian.pool.ntp.org)

ntpdig: socket error on transmission: [Errno 101] Network is unreachable

> I get a different error, which might be related, with:
> ntpdig -d 2.debian.pool.ntp.org
>
> That seems to timeout (the default being 5 seconds) and then return:
> ntpdig: no eligible servers
>
> How does that behave for you?

ntpdig: querying 162.159.200.123 (2.debian.pool.ntp.org)
ntpdig: querying 79.160.13.250 (2.debian.pool.ntp.org)
ntpdig: querying 37.44.185.42 (2.debian.pool.ntp.org)
ntpdig: querying 185.41.243.43 (2.debian.pool.ntp.org)
ntpdig: querying 2001:67c:558::43 (2.debian.pool.ntp.org)

ntpdig: socket error on transmission: [Errno 101] Network is unreachable

> For me, this works, albeit still with a 5 second delay:
> ntpdig -dc 2.debian.pool.ntp.org

ntpdig: querying 37.44.185.42 (2.debian.pool.ntp.org)
ntpdig: querying 162.159.200.123 (2.debian.pool.ntp.org)
ntpdig: querying 185.41.243.43 (2.debian.pool.ntp.org)
ntpdig: querying 79.160.13.250 (2.debian.pool.ntp.org)
ntpdig: querying 2001:67c:558::43 (2.debian.pool.ntp.org)

ntpdig: socket error on transmission: [Errno 101] Network is unreachable

My guess is that you have working IPv6, while I do not.

root@devuan-n900:~# ping6 2001:67c:558::43
connect: Network is unreachable
root@devuan-n900:~#

[Richard Laager]

I've submitted a patch upstream to suppress those messages except in
debug mode, since they are clearly confusing:

https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1288

This bug probably should have been marked fixed already once the
upstream change to make them non-fatal was uploaded to Debian. But given
I'm submitting another patch, I'll leave it open.

--
Richard