IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
wiskbroom at hotmail.com
wiskbroom at hotmail.com
Fri Jan 23 20:24:55 UTC 2009
> From: dougb at dougbarton.us
>
> wiskbroom at hotmail.com wrote:
>> Hello;
>>
>> I have two "DMZ" BIND/DNS servers running whose purpose is to allow
>> lookups via them from my otherwise incapable internal network.
>>
>> I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND
>> 9.5.1-P1. Both servers are running Sparc/Solaris 9.
>>
>> Upon upgrading one to BIND 9.5.0-P2, which was in an effort to
>> resolve failed lookups for .gov sites, I found that the server was
>> now attempting to resolve using IPv6 style addresses. I am not
>> able to find any such attempts in the past at all from either
>> server (See messages from BIND 9.5.1-P1 server below).
>>
>> I've installed a newer db.root file by running dig then saving the
>> output to db.root. The newer file contained IPv6 style entries,
>> which I've manually removed (about the same time attempts ceased)
>
> This isn't going to make a difference. Even if the root server
> addresses were not already in the named binary, the first thing a
> resolving name server does when it starts up is to get an updated copy
> of the information from the root servers themselves.
How and where does this happen?
>> I've also tried to force any attempts at using IPv6 and what appear
>> to be issues resolving .gov domains in my named.conf like this:
>>
>> options { edns-udp-size 512; max-udp-size 512;
>
> Those two options are not good. EDNS exists for a reason.
Delete them?
>> listen-on-v6 {
>> none; }; };
>
> That's not going to do what you want. You want to start named with the
> -4 option. (Although a better option would be to get working IPv6.) :)
I will try using the -4 option, yeah getting IPv6 would be "cool" though not warranted right now.
>> logging { category lame-servers {null;}; category edns-disabled
>> {null;}; };
>>
>>
>> The issues that I was seeing with .gov sites resulted in this type
>> of error in my logfile:
>>
>> Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many
>> timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling
>> EDNS
>
> This problem isn't caused by IPv6, fdic.gov has no name servers with
> IPv6 addresses. This looks more like a firewall problem on your end.
Is there a way to test to see if it is my firewalls? I recall reading that using dig you can test your firewall rulesets to determine if it is properly configured for NAT and to allow outbound IP fragmenting and out-of-order fragmentation.
By the way, what would cause a DNS server to fragment packets or send out of order? Aren't the packets typically small enough to fit within the typical 1500 imposed size?
>> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
>> unreachable resolving
>> 'ADNS1.BERKELEY.EDU/AAAA/IN':2001:500:2f::f#53
>
> This is odd. The IP address listed is for f-root. That adns1 name
> server does have an IPv6 address, but for some reason that address is
> not listed in the root zone file (currently).
>
>> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
>> unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
>
> Same here.
>
> Doug
More information about the bind-users
mailing list