IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses

Doug Barton dougb at dougbarton.us
Fri Jan 23 20:02:03 UTC 2009 

wiskbroom at hotmail.com wrote:
> Hello;
> 
> I have two "DMZ" BIND/DNS servers running whose purpose is to allow
> lookups via them from my otherwise incapable internal network.
> 
> I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND
> 9.5.1-P1. Both servers are running Sparc/Solaris 9.
> 
> Upon upgrading one to BIND 9.5.0-P2, which was in an effort to
> resolve failed lookups for .gov sites, I found that the server was
> now attempting to resolve using IPv6 style addresses.  I am not
> able to find any such attempts in the past at all from either
> server (See messages from BIND 9.5.1-P1 server below).
> 
> I've installed a newer db.root file by running dig then saving the
> output to db.root.  The newer file contained IPv6 style entries,
> which I've manually removed (about the same time attempts ceased)

This isn't going to make a difference. Even if the root server
addresses were not already in the named binary, the first thing a
resolving name server does when it starts up is to get an updated copy
of the information from the root servers themselves.

> I've also tried to force any attempts at using IPv6 and what appear
> to be issues resolving .gov domains in my named.conf like this:
> 
> options { edns-udp-size 512; max-udp-size  512; 

Those two options are not good. EDNS exists for a reason.

> listen-on-v6 {
> none; }; };

That's not going to do what you want. You want to start named with the
-4 option. (Although a better option would be to get working IPv6.) :)

> logging { category lame-servers {null;}; category edns-disabled
> {null;}; };
> 
> 
> The issues that I was seeing with .gov sites resulted in this type
> of error in my logfile:
> 
> Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many
> timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling
> EDNS

This problem isn't caused by IPv6, fdic.gov has no name servers with
IPv6 addresses. This looks more like a firewall problem on your end.

> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> unreachable resolving
> 'ADNS1.BERKELEY.EDU/AAAA/IN':2001:500:2f::f#53

This is odd. The IP address listed is for f-root. That adns1 name
server does have an IPv6 address, but for some reason that address is
not listed in the root zone file (currently).

> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53

Same here.

Doug

More information about the bind-users mailing list