IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses

Mark Andrews Mark_Andrews at isc.org
Fri Jan 23 23:16:38 UTC 2009 

In message <BAY133-W4474FD4AA8331C2DC6BEE1B4CF0 at phx.gbl>, wiskbroom at hotmail.com
 writes:
> 
> Hello;
> 
> I have two "DMZ" BIND/DNS servers running whose purpose is to allow lookups v
> ia them from my otherwise incapable internal network.
> 
> I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. 
> Both servers are running Sparc/Solaris 9.
> 
> Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed
>  lookups for .gov sites, I found that the server was now attempting to resolv
> e using IPv6 style addresses.  I am not able to find any such attempts in the
>  past at all from either server (See messages from BIND 9.5.1-P1 server below
> ).

	It always was.  Named now uses connected UDP sockets so the
	error codes make it back from the kernel.
 
> I've installed a newer db.root file by running dig then saving the output to 
> db.root.  The newer file contained IPv6 style entries, which I've manually re
> moved (about the same time attempts ceased)
> 
> I've also tried to force any attempts at using IPv6 and what appear to be iss
> ues resolving .gov domains in my named.conf like this:

	To disable the use of IPv6 use "named -4".  I would however
	recommend that you get yourself IPv6 connectivity instead.
 
> options {
>         edns-udp-size 512;
>         max-udp-size  512;

	Unless you have a firewall or NAT that has trouble with
	EDNS packets of particular sizes you should not need to set
	these.  If you do need to set these then you really should
	look at replacing/reconfiguring the offending box.
	
>         listen-on-v6 { none; };
> };
> 
> logging {
>         category lame-servers {null;};
>         category edns-disabled {null;};
>         };
> 
> 
> The issues that I was seeing with .gov sites resulted in this type of error i
> n my logfile:
> 
> Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re
> solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS
 
	The problem here is "too many timeouts".  This may or may
	not be related to EDNS.

> Any help would be greatly appreciated, am I missing something obvious, or per
> haps I need to add something else into my configs?
> 
> Thank you,
> 
> 
> .vp
> 
> 
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
> resolving 'ADNS1.BERKELEY.EDU/AAAA/IN':2001:500:2f::f#53
> 
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
> resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
> 
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable 
> resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53

	Which are perfectly understandable if you don't have IPv6
	connectivity.
 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list