I have configured dns forwarding as follows:
# show service dns forwarding { domain 168.192.in-addr.arpa { server 2603:3024:423e:b9f1:3063:21ff:fee9:1234 server 51.89.31.67 } ignore-hosts-file listen-address 2604:3024:423e:b9f2::1 listen-address 192.168.10.1 listen-address 2604:3024:423e:b9f1::1 listen-address 51.89.31.65 listen-address 2604:3024:423e:b9f4::1 listen-address 192.168.20.1 listen-address 127.0.0.1 name-server 2603:3024:423e:b9f1:3063:21ff:fee9:1234 name-server 51.89.31.67 name-server 52.41.86.239 }
Notice that there are three upstream nameservers configured globally, and two configured for the RFC-1918 zones. (The latter is my workaround for PowerDNS recursor defaulting to refuse to send queries for RFC-1918 addresses.)
However, there are two problems with the IPv6 upstream nameserver configuration, as shown by the pdns-recursor logs:
Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Only allowing queries from: 0.0.0.0/0 Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0 Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Redirecting queries for zone '168.192.in-addr.arpa' to: 0.0.10.43:3024, 51.89.31.67:53 Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Redirecting queries for zone '.' with recursion to: 0.0.10.43:3024, 51.89.31.67:53, 52.41.86.239:53
First, we need to set the config option query-local-address6=:: in recursor.conf, or no IPv6 nameservers will be queries. We should just do this by default, since we allow setting IPv6 addresses as name-servers.
Second, the IPv6 addresses are being garbled to 0.0.10.43:3024. That's because we haven't wrapped the IPv6 addresses in square brackets in recursor.conf:
... # domain ... server ... forward-zones=168.192.in-addr.arpa=2603:3024:423e:b9f1:3063:21ff:fee9:1234;50.79.34.67 # dnssec dnssec=process-no-validate # name-server forward-zones-recurse=.=2603:3024:423e:b9f1:3063:21ff:fee9:1234;50.79.34.67;208.72.84.202
If I wrap the IPv6 addresses in [], then the addresses are configured correctly, and recursor doesn't waste its time sending queries to bogus IPv4 addresses.
# domain ... server ... forward-zones=168.192.in-addr.arpa=[2603:3024:423e:b9f1:3063:21ff:fee9:1234];50.79.34.67 # dnssec dnssec=process-no-validate # name-server forward-zones-recurse=.=[2603:3024:423e:b9f1:3063:21ff:fee9:1234];50.79.34.67;208.72.84.202