Arch Linux

Gilrain

Member

From: France

Registered: 2011-12-24

Posts: 12

unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

Hi,

curl is behaving strangely with the last couple of patches (8.20.0-5 or 8.20.0-6).

When accessing an IPv4 only website, it tries to connect to my personal server IPv6 address and complains of a mismatched certificate.

curl -v -Si https://github.com
* Host github.com:443 was resolved.
* IPv6: fd00:…
* IPv4: 140.82.121.3
*   Trying [fd00:…:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1565 bytes data]
* SSL Trust Anchors:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, internal error (592):
{ [2 bytes data]
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

The last functioning version was 8.20.0-3. I haven´t changed the DNS config. And wget or Firefox can access those sites fine. Of course, pacman and php are also impacted by this.

My DNS outputs the same information available everywhere else (github.com. 44 IN A 140.82.121.3, nothing on an IPv6 only query my bad).

Any ideas?

Edit: the threaded-resolver option seems to be the culprit. It was enabled in 8.20.0-5.

Last edited by Gilrain (2026-05-11 10:45:42)

-thc

Member

Registered: 2017-03-15

Posts: 1,138

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

Why on earth does your DNS subsystem resolve "github.com" to an ULA IPv6 address?

This is what I think it's supposed to look like:

[thc@box ~]$ curl -v -Si https://github.com
* Host github.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.121.3
*   Trying 140.82.121.3:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
[...]

Please check your DNS subsystem.

Gilrain

Member

From: France

Registered: 2011-12-24

Posts: 12

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

Exactly, that's the behavior I get when downgrading curl.

The DNS works correctly, since no other program seems affected. Only curl compiled with --enable-threaded-resolver is unable to.

Here's what my DNS outputs:

drill github.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43924
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com.	IN	A

;; ANSWER SECTION:
github.com.	21	IN	A	140.82.121.3

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: ipv4 address
;; WHEN: Sun May 10 21:29:11 2026
;; MSG SIZE  rcvd: 44

and

drill -6 github.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57423
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com.	IN	A

;; ANSWER SECTION:
github.com.	40	IN	A	140.82.121.3

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: ipv6 address
;; WHEN: Sun May 10 21:52:16 2026
;; MSG SIZE  rcvd: 44

Last edited by Gilrain (2026-05-10 19:52:59)

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 75,310

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

The output changed from REFUSED to NOEROR and the IPv4 - how?
What specifically is the DNS resolver?
Have your tried using 8.8.8.8 and 2001:4860:4860::8888 ?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Gilrain

Member

From: France

Registered: 2011-12-24

Posts: 12

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

I tried using cloudflare DNS (in resolv.conf): curl is still unresponsive.

Besides, wouldn't DNS affect more that just curl and curl dependent programs? ping, mtr, wget, firefox all work when contacting ipv4 only servers.

Since the problem is the same bypassing the internal sever, I don't think unbound forwarding to public DoT servers is to blame. And, no, I don't use systemd-resolve ;-)

The output changed from REFUSED to NOEROR and the IPv4 - how?

Yeah, I fixed a mistake on my desktop computer (was contacting the wrong server on ipv6). But the problem is the same on my server which had a correct config all along…

-thc

Member

Registered: 2017-03-15

Posts: 1,138

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

That query

drill -6 github.com

doesn't do anything useful for you. You're literally asking for the IPv4 address of github.com with an DNS query sent via IPv6.

Try

drill github.com -t AAAA

and watch out for the DNS server that answers this query. That server should be the main culprit.

Last edited by -thc (2026-05-11 07:18:35)

Gilrain

Member

From: France

Registered: 2011-12-24

Posts: 12

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

Thank you, I knew I was missing something.

Since I was getting nowhere with the simple queries that always returned what was expected (see below), I tried an ipv6 only query using wget: I got the same local redirect as with curl!

Turns out, you can't trust drill output.

I began to question my unbound config and traced the origin of the problem to a wildcard in an auth-zone file (*.mydoma.in. IN AAAA ipv6address). Commenting it solves the redirect but breaks my subdomains. Tried *.mydoma.in. IN CNAME mydoma.in., same bad behavior.

I guess it's time to finally implement the local nameserver I kept postponing… In the meantime, I'll pin curl at 8.20.0-3.

I get a SOA on every IPv4-only servers:

drill github.com -t AAAA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 34646
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com.	IN	AAAA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
github.com.	819	IN	SOA	ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; ADDITIONAL SECTION:

;; Query time: 61 msec
;; SERVER: ipv6 address
;; WHEN: Mon May 11 12:16:39 2026
;; MSG SIZE  rcvd: 112

Here's what I get with curl 8.20.0-6 on a dualstacked server:

curl -v https://archlinux.org
*   Trying [2604:cac0:a104:d::3]:443...
* Host archlinux.org:443 was resolved.
* IPv6: 2604:cac0:a104:d::3
* IPv4: 209.126.35.79
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
…

-thc

Member

Registered: 2017-03-15

Posts: 1,138

Re: unbound wildcard causes curl >8.20.0-3 tlsv1 alert internal error

Turns out, you can't trust drill output.

I would take that with a question mark pending further analysis. In any case resolving a public domain like github.com should never ever lead to a local (ULA) IPv6 address.

I get a SOA on every IPv4-only servers:

Which is correct - github.com has no AAAA record (regardless of the connectivity of the server).

Here's what I get with curl 8.20.0-6 on a dualstacked server:

That's independent of your IPv4/IPv6 dual stack - archlinux.org simply has an AAAA record. Which could be queried by an IPv4 only server.

Last edited by -thc (2026-05-11 20:14:05)