A6 lookups from clients and bind9?

Sat Sep 7 22:23:39 UTC 2002

On Sat, 7 Sep 2002, Simon Waters wrote:

> > The quadruple A is indicative of a IPv6 lookup, yes? Now, on my
> > bind9 servers, it seems to be trying to answer/lookup the request
> > from my forwarders, because there is a timeout of 10-15 seconds
> > or so before the client asks "the right" question and gets back
> > the info it needs to proceed.
>
> Check the logs carefully, is it asking for AAAA in other domain
> names, i.e. is the 10 or 15 second delay due to the client
> trying other variations of the same name, or maybe BIND 9 trying
> to reach the Internet again (it likes to talk to the root
> servers after start up).

It apparently is doing different variations of IpV6 like
"shortname" "shortname.domainname" and then switching to
the secondary DNS server (from resolv.conf) and doing the
same "shortname" "shortname.domainame" - all as IpV6 queries.

You were correct that I could disable this behaviour with
the ssh client by doing "ssh -4 me at shortname" - which pinpoints
the problem down to the numerous Ipv6 queries generated by
the clients that the bind9 server is not fielding as well
as I would wish it to.

> Difficult to say, does the other BIND 8 server allow recursive
> queries of Internet domain, or is it a private server. If you
> have private roots, remember bind 9 has an implicit 'cache "."'

Ok - my two servers are internal only, and they have explicit
forwarders listed, and they are set to "forward only". They are
unable to reach the internet themselves. If bind 9 has an
implicit 'cache "."' - then should I override that with one of my
own? How does one setup/generate such a particular file? (Does it
look just like the normal one, with the ROOT-SERVERS replaced with
servers that are actually reachable?) Or is there a better way to
modify that behaviour?

> It can only answer questions as best it can - my guess is it is
> the questions the client is asking that is wrong.

Yes, this may be so, however, I need my servers to be as good,
if not better than, the ones they are replacing.

> Stop the client asking IPv6 queries, for some SSH builds this
> requires either "ssh -4" or rebuilding without IPv6 support.

Yes, this gets rid of the problem, confirming my suspicions
on what is happening. Now to figure out how to massage the
problem away on my end if possible.

-- 
It's always September somewhere on the 'net. | http://angui.sh
Another proud member of Eep's killfile.      | Unix Sys. Admin.
unreal://angui.sh                            | leareth at angui.sh