Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform Init Fails when Authority Information is sent in the DNS Response #29303

Closed
b-diggity opened this issue Aug 4, 2021 · 4 comments
Closed

Terraform Init Fails when Authority Information is sent in the DNS Response #29303

b-diggity opened this issue Aug 4, 2021 · 4 comments
Labels
bug cli new new issue not yet triaged upstream

Comments

@b-diggity
Copy link

When running a terraform init on a system that is providing the authority information in the DNS response, Terraform isn't querying the correct IP address for registry.terraform.io, causing the init to fail. If the authority information isn't provided in the DNS response, Terraform works without issue.

Terraform Version

$ terraform version
Terraform v1.0.3
on linux_amd64

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 3.52.0"
    }
  }
}

Expected Behavior

$ tf init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 3.52.0"...
- Installing hashicorp/aws v3.52.0...
- Installed hashicorp/aws v3.52.0 (signed by HashiCorp)


Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Actual Behavior

$ tf init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 3.52.0"...
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider hashicorp/aws: could not connect to registry.terraform.io: Failed to request discovery document: Get
│ "https://registry.terraform.io/.well-known/terraform.json": net/http: TLS handshake timeout
╵

Steps to Reproduce

On WSL (windows subsystem for Linux) Ubuntu 20.04 with the authority information being sent in the DNS repsonse:
terraform init

Additional Context

When running a terraform init, Terraform reaches out to registry.terraform.io. However, a packet capture shows that Terraform is trying to reach out to a NS server returned in the DNS request. For example, based on the output below, terraform is trying to talk to 23.235.32.32. However, this is wrong. It should be connecting to 199.232.6.49. The TLS handshake message is misleading because the server hello packet is never sent from the NS server (nor should it). Here is a nslookup:

$ nslookup registry.terraform.io
Server:         x.x.x.x
Address:        x.x.x.x#53

Non-authoritative answer:
registry.terraform.io   canonical name = dualstack.q2.shared.global.fastly.net.
Name:   dualstack.q2.shared.global.fastly.net
Address: 199.232.6.49
Name:   ns1.fastly.net
Address: 23.235.32.32
Name:   ns2.fastly.net
Address: 104.156.80.32
Name:   ns3.fastly.net
Address: 23.235.36.32
Name:   ns4.fastly.net
Address: 104.156.84.32
Name:   dualstack.q2.shared.global.fastly.net
Address: 2a04:4e42:3e::561
Name:   ns1.fastly.net
Address: 23.235.32.32
Name:   ns2.fastly.net
Address: 104.156.80.32
Name:   ns3.fastly.net
Address: 23.235.36.32
Name:   ns4.fastly.net
Address: 104.156.84.32

And here is a dig:

$ dig registry.terraform.io

; <<>> DiG 9.16.1-Ubuntu <<>> registry.terraform.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11595
;; flags: qr rd ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;registry.terraform.io.         IN      A

;; ANSWER SECTION:
registry.terraform.io.  0       IN      CNAME   dualstack.q2.shared.global.fastly.net.
dualstack.q2.shared.global.fastly.net. 0 IN A   199.232.6.49
ns1.fastly.net.         0       IN      A       23.235.32.32
ns2.fastly.net.         0       IN      A       104.156.80.32
ns3.fastly.net.         0       IN      A       23.235.36.32
ns4.fastly.net.         0       IN      A       104.156.84.32

;; Query time: 10 msec
;; SERVER: 172.26.64.1#53(172.26.64.1)
;; WHEN: Wed Aug 04 10:49:17 CDT 2021
;; MSG SIZE  rcvd: 284

This is what a dig looks like when terraform works, notice the answer section doens't include the authority info in the response:

$ dig registry.terraform.io

; <<>> DiG 9.16.1-Ubuntu <<>> registry.terraform.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12411
;; flags: qr rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;registry.terraform.io.         IN      A

;; ANSWER SECTION:
registry.terraform.io.  0       IN      CNAME   dualstack.q2.shared.global.fastly.net.
dualstack.q2.shared.global.fastly.net. 0 IN A   199.232.6.49

;; Query time: 10 msec
;; SERVER: 172.26.64.1#53(172.26.64.1)
;; WHEN: Wed Aug 04 10:57:50 CDT 2021
;; MSG SIZE  rcvd: 164
@b-diggity b-diggity added bug new new issue not yet triaged labels Aug 4, 2021
@jbardin
Copy link
Member

jbardin commented Aug 4, 2021
edited
Loading

Hi @b-diggity,

Could you provide some more information on the DNS configuration you are using? You mention the added authority section, but neither response contains an ;; AUTHORITY SECTION: in the output. The ns server A records with 0 ttl do look strange to me, but it's been a while since I've had to troubleshoot these things.

We've seen various similar issues in combination with Windows or WSL, but it's usually turned out to be network configuration problems that Terraform cannot avoid on its own. Terraform also is not specifically interpreting the DNS response on it's own, but I do not see any mention of similar issues upstream either.

@b-diggity
Copy link
Author

After more searching, I may have jumped the gun. I found microsoft/WSL#5806, which indicates the issue is on Microsoft's side in regards to how they are returning the DNS response.

@jbardin
Copy link
Member

jbardin commented Aug 5, 2021

Thanks for the link @b-diggity. I'll close this one out for now.

@jbardin jbardin closed this as completed Aug 5, 2021
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug cli new new issue not yet triaged upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbardin @b-diggity