AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

tachtler · 2026-03-29 06:21:36

Hi,

I'm experiencing the following issue: I can only access the AUR repository—ALWAYS—after the third attempt.

(When I disable the Hurricane Electric Free IPv6 Tunnel, I have - NO - issues using my pure IPv4 address)

First attempt—I have to cancel it with Ctrl-C

# pikaur -Syyuv
=> GET https://archlinux.org/feeds/news/
=> pacman --color=always --sync --refresh --refresh
:: Synchronizing package databases...
 core                                                    122.8 KiB   210 KiB/s 00:01 [################################################] 100%
 extra                                                     8.2 MiB  8.38 MiB/s 00:01 [################################################] 100%
^C

Canceled by user (SIGINT)

Second attempt—I have to cancel it with Ctrl-C too

# pikaur -Syyuv
=> GET https://archlinux.org/feeds/news/
=> pacman --color=always --sync --refresh --refresh
:: Synchronizing package databases...
 core                                                    122.8 KiB   782 KiB/s 00:00 [################################################] 100%
 extra                                                     8.2 MiB  8.93 MiB/s 00:01 [################################################] 100%

 Starting full AUR upgrade...
Reading repository package databases...
Reading local package database...
=> pacman --color=always --sync --sysupgrade --print-format %r/%n
Reading AUR packages info...
=> GET https://aur.archlinux.org/rpc/?v=5&type=info&arg[]=pikaur
^C

Canceled by user (SIGINT)

Third attempt—is working!

# pikaur -Syyuv
=> GET https://archlinux.org/feeds/news/
=> pacman --color=always --sync --refresh --refresh
:: Synchronizing package databases...
 core                                                    122.8 KiB   682 KiB/s 00:00 [################################################] 100%
 extra                                                     8.2 MiB  9.13 MiB/s 00:01 [################################################] 100%

 Starting full AUR upgrade...
Reading repository package databases...
Reading local package database...
=> pacman --color=always --sync --sysupgrade --print-format %r/%n
Reading AUR packages info...
=> GET https://aur.archlinux.org/rpc/?v=5&type=info&arg[]=pikaur
=> pacman --color=always --query --upgrades --quiet

pikspect => pacman --color=always --sync --verbose --sysupgrade
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Hook Dirs : /usr/share/libalpm/hooks/  /etc/pacman.d/hooks/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : None
:: Starting full system upgrade...
 there is nothing to do

Could this be caused by a security mechanism kicking in?

Thanks in advance, and

Best regards,
Klaus.

seth · 2026-03-29 08:21:33

Could this be caused by a security mechanism kicking in?

Probably - the AUR has been under massive attack last year

https://wiki.archlinux.org/title/IPv6#P … _over_IPv6

Sidebar, please check the pacman manpage for what the second "y" does and stop using it unless you really (REALLY) mean to (which is almost never) - next to undue stress on the mirrors it jeopardizes the integrity of your local database.

tachtler · 2026-03-29 08:33:21

Hi Seth,

First of all, thanks for the tips. I only used the second "-y" as a test. I never use it otherwise.

But thanks again for the advice not to put unnecessary strain on the servers—that’s not my intention.

Prefer IPv4 over IPv6

Since I want to test IPv6, changing

/etc/gai.conf

might not be exactly what I want to do.

Of course, I’ve also noticed the massive attacks against Arch Linux and AUR, but is there no way to exclude certain IP address ranges from them, or was the IPv6 address range of “Hurricane Electric Free IPv6 Tunnel” also part of the attacks?

Thanks and best regards,
Klaus.

seth · 2026-03-29 09:03:49

or was the IPv6 address range of “Hurricane Electric Free IPv6 Tunnel” also part of the attacks?

I'd assume they fall into the "VPN, unpredictable what's behind" category and gets rate controlled - you can ask accountsupport@archlinux.org but I'd not hold my breath.

Unfortunately python's urllib is also not really helpful here, https://github.com/actionless/pikaur/is … -598673902
You'd have to explore other aur helpers (obviously using eg. curl it's no problem to select IPv4/6)

tachtler · 2026-03-29 13:50:25

Hi Seth,

Thanks again for your tips.

I’ve found a possible solution—perhaps for myself, but also for others who come across this thread.

Since I use an unbound DNS-resolver in my internal DNS, I can set the following parameter there to prevent the resolution of an IPv6 address for aur.archlinux.org:

server:
    ...
    # DNS64 ignore AAAA records for these domains and use A instead.
    # dns64-ignore-aaaa: "example.com"
    # Tachtler - No IPv6 for AUR, because do NOT use the tunnel.
    dns64-ignore-aaaa: aur.archlinux.org

Thanks and best regards,
Klaus.

tachtler · 2026-03-29 13:58:35

Hi,

the best way is to uncomment in

/etc/gai.conf

the parameter:

precedence ::ffff:0:0/96  100

Greetings
Klaus.

seth · 2026-03-29 14:31:03

I thought that's not desirable "Since I want to test IPv6"?
Why is https://wiki.archlinux.org/title/IPv6#P … _over_IPv6 preferable over selective disabling of IPv6 in the DNS server?

In any event please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

tachtler · 2026-03-29 15:05:56

Hi Seth,

For my tests, I’ll limit myself to explicitly specifying IPv6. Otherwise, I don’t see any other way to use AUR in for example in Ansible scripts on the server, since I don’t have the option to manually run three attempts here.

I haven’t marked the thread as resolved yet because I’m still testing and trying to figure out what the best solution is.

I’ll mark it as resolved once I’m done with all the tests, I promise.

Best regards,
Klaus.

tachtler · 2026-03-29 15:35:19

Hi Seth,

Why is https://wiki.archlinux.org/title/IPv6#P … _over_IPv6 preferable to selectively disabling IPv6 on the DNS server?

I don’t want to disable IPv6 entirely on my internal DNS server. That’s because local clients could reach the DNS server via both IPv4 and IPv6.

Best regards,
Klaus.

seth · 2026-03-29 21:30:57

I don’t want to disable IPv6 entirely on my internal DNS server.

But that is not what dns64-ignore-aaaa would do, it would disable IPv6 only for the aur.archlinux.org domain?

Arch Linux

#1 2026-03-29 06:21:36

AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#2 2026-03-29 08:21:33

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#3 2026-03-29 08:33:21

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#4 2026-03-29 09:03:49

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#5 2026-03-29 13:50:25

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#6 2026-03-29 13:58:35

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#7 2026-03-29 14:31:03

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#8 2026-03-29 15:05:56

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#9 2026-03-29 15:35:19

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

#10 2026-03-29 21:30:57

Re: AUR repo reachable over Hurricane Electric Free IPv6 Tunnel Broker.

Board footer