net: ipv4 chosen first when ipv6 is available

[rittneje]

Go version

go version go1.22.5 darwin/amd64

Output of go env in your module/workspace:

GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/tmp/.gocache'
GOENV='/Users/rittneje/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/rittneje/test/pkg/mod'
GONOPROXY='[REDACTED]'
GONOSUMDB='[REDACTED]'
GOOS='darwin'
GOPATH='/Users/rittneje/test'
GOPRIVATE='[REDACTED]'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/rittneje/go1.22.5'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/Users/rittneje/go1.22.5/pkg/tool/darwin_amd64'
GOVCS='[REDACTED]'
GOVERSION='go1.22.5'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/rittneje/test/src/dialtest/go.mod'
GOWORK='/Users/rittneje/test/go.work'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/kf/kr7_s3xx0l12zbj3jrn082hmzy5gvy/T/go-build666976387=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

package main

import (
	"context"
	"log"
	"net"
	"net/http/httptrace"
)

func main() {
	d := &net.Dialer{}

	ctx := httptrace.WithClientTrace(context.Background(), &httptrace.ClientTrace{
		DNSStart: func(info httptrace.DNSStartInfo) {
			log.Printf("DNSStart: %q", info.Host)
		},
		DNSDone: func(info httptrace.DNSDoneInfo) {
			log.Printf("DNSDone: %s", info.Addrs)
		},
		ConnectStart: func(network, addr string) {
			log.Printf("ConnectStart: %s %s", network, addr)
		},
		ConnectDone: func(network, addr string, err error) {
			log.Printf("ConnectDone: %s %s %v", network, addr, err)
		},
	})

	c, err := d.DialContext(ctx, "tcp", "www.google.com:443")
	if err != nil {
		panic(err)
	}
	defer c.Close()

	log.Printf("RemoteAddr: %s", c.RemoteAddr())
}

What did you see happen?

On a network where IPv4 is blocked:

2024/08/08 16:03:47 DNSStart: "www.google.com"
2024/08/08 16:03:47 DNSDone: [{142.250.72.100 } {2607:f8b0:4006:809::2004 }]
2024/08/08 16:03:47 ConnectStart: tcp 142.250.72.100:443
2024/08/08 16:03:48 ConnectStart: tcp [2607:f8b0:4006:809::2004]:443
2024/08/08 16:03:48 ConnectDone: tcp [2607:f8b0:4006:809::2004]:443
2024/08/08 16:03:48 RemoteAddr: [2607:f8b0:4006:809::2004]:443

This shows that it incorrectly tried IPv4 first, and then fell back to IPv6.

(The above output is from running on Linux ARM with the netgo build tag, not on macos.)

What did you expect to see?

As per the documentation in net, it should follow "happy eyeballs" and dial IPv6 first, and only fall back to IPv4 if that doesn't work.

If the current behavior is intentional, then the documentation ought to be corrected.

This was previously reported in #54928 but was not fixed.

[gabyhelp]

Related Issues and Documentation

• net: ipv4 chosen first when both ipv4 and ipv6 are available #54928 (closed)
• net: Dial does not respond to quickly-broken IPv6 connections by falling back to IPv4 #68237
• net: Setting LocalAddr to v4 address in net.Dialer not effective if v6 available #14672 (closed)
• net: Resolve{TCP,UDP,IP}Addr returns IPv4 address on host without IPv4 connectivity #28666
• net: LookupNetIP returns IPv4 in IPv6 instead of IPv4 #53554 (closed)
• net: enable happy eyeballs by default #22225 (closed)
• net: Resolver doesn't use provided Dial function in all cases #60712
• net: Dial only tries one address, fails on IPv6-only system if that addr is IPv4 #8124 (closed)
• net: PreferGo DNS resolver failure #56107 (closed)
• net: cgo dns resolver doesn't work as expected. #66114 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[cagedmantis]

cc @ianlancetaylor @neild

[ianlancetaylor]

It looks like we prefer IPv4 since https://go.dev/cl/8360. That does seem to contradict RFC 6555, which says that we should try IPv6 first. That RFC is obsoleted by RFC 8305. The latter requires that we use whichever DNS answer we get first, but we don't seem to do that at all; we collect all the DNS answers before we try opening any connection.

Changing this might be as simple as changing isIPv4 to isNotIPv4 at https://go.googlesource.com/go/+/refs/heads/master/src/net/dial.go#522.

[neild]

Our dial algorithm doesn't match the behavior in RFC 8305 at all. We dial each address within a family serially, only trying a fallback address after the previous one has failed. RFC 8305 recommends sorting all addresses into a single list with IPv4 and IPv6 interleaved, and adding racing dials over time.

I can't tell if we take into account whether the local system has any IPv4/IPv6 connectivity. I think we don't, which means we'll try to dial addresses for families where we have no local address. These dials should fail quickly, so I don't know how much of a problem that is.

Any changes here should take errors into account. When a dial fails, we currently return the error for the first dial attempt made. If our first attempt fails because the system has no connectivity for the address family, and a subsequent attempt fails for some other reason (ECONNREFUSED, say), returning the first error is confusing and masks useful information. This is #18183 and a long standing problem, but we should be careful not to make matters worse.

I'm concerned that changing Dial to prefer IPv6 over IPv4 will cause breakage. What's the fallback for users who encounter problems? Maybe there should be a net.Dialer option to set the preferred address family?