Public discovery service unreachable over ipv6 #80
Description
Hello,
Everything is in the title. I can reach any website over ipv6, but not the public discovery service. Consequently, my cluster is now undiscovered, and I get error messages from my talos nodes ("[talos] hello failed").
From my computer :
ipv6 :
thomas@tldesktop01:~/Tech$ curl -v -X HEAD https://discovery.talos.dev
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the way you want. Consider using -I/--head instead.
* Host discovery.talos.dev:443 was resolved.
* IPv6: 2a01:111:f100:2000::a83e:3731
* IPv4: 172.174.35.21
* Trying [2a01:111:f100:2000::a83e:3731]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* Recv failure: Connection reset by peer
* TLS connect error: error:00000000:lib(0)::reason(0)
* OpenSSL SSL_connect: Connection reset by peer in connection to discovery.talos.dev:443
* closing connection #0
curl: (35) Recv failure: Connection reset by peer
ipv4 :
thomas@tldesktop01:~/Tech$ curl -ip4 -v -X HEAD https://discovery.talos.dev
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the way you want. Consider using -I/--head instead.
* Host discovery.talos.dev:443 was resolved.
* IPv6: (none)
* IPv4: 172.174.35.21
* Trying 172.174.35.21:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=discovery.talos.dev
* start date: Apr 5 05:58:38 2025 GMT
* expire date: Jul 4 05:58:37 2025 GMT
* subjectAltName: host "discovery.talos.dev" matched cert's "discovery.talos.dev"
* issuer: C=US; O=Let's Encrypt; CN=R11
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to discovery.talos.dev (172.174.35.21) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://discovery.talos.dev/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: discovery.talos.dev]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.11.1]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: discovery.talos.dev
> User-Agent: curl/8.11.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 200
HTTP/2 200
< accept-ranges: bytes
accept-ranges: bytes
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< content-length: 2422
content-length: 2422
< date: Sun, 01 Jun 2025 18:39:14 GMT
date: Sun, 01 Jun 2025 18:39:14 GMT
<
* end of response with 2422 bytes missing
* Connection #0 to host discovery.talos.dev left intact
curl: (18) end of response with 2422 bytes missing
google ipv6 :
thomas@tldesktop01:~/Tech$ curl -ip6 -v -X HEAD https://google.com
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the way you want. Consider using -I/--head instead.
* Host google.com:443 was resolved.
* IPv6: 2a00:1450:400e:802::200e
* IPv4: (none)
* Trying [2a00:1450:400e:802::200e]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: May 12 08:42:58 2025 GMT
* expire date: Aug 4 08:42:57 2025 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services; CN=WR2
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* Connected to google.com (2a00:1450:400e:802::200e) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://google.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.11.1]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: google.com
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 301
HTTP/2 301
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-JQ8sg4CPcgdb0zqviKZj8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-JQ8sg4CPcgdb0zqviKZj8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Sun, 01 Jun 2025 18:39:26 GMT
date: Sun, 01 Jun 2025 18:39:26 GMT
< expires: Tue, 01 Jul 2025 18:39:26 GMT
expires: Tue, 01 Jul 2025 18:39:26 GMT
< cache-control: public, max-age=2592000
cache-control: public, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
* end of response with 220 bytes missing
* Connection #0 to host google.com left intact
curl: (18) end of response with 220 bytes missing
Is it a problem on your end, or a routing problem somewhere ?
Can you remove the AAAA record for now ?