IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
Mark Andrews
Mark_Andrews at isc.org
Fri Jan 23 23:16:38 UTC 2009
In message <BAY133-W4474FD4AA8331C2DC6BEE1B4CF0 at phx.gbl>, wiskbroom at hotmail.com
writes:
>
> Hello;
>
> I have two "DMZ" BIND/DNS servers running whose purpose is to allow lookups v
> ia them from my otherwise incapable internal network.
>
> I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1.
> Both servers are running Sparc/Solaris 9.
>
> Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed
> lookups for .gov sites, I found that the server was now attempting to resolv
> e using IPv6 style addresses. I am not able to find any such attempts in the
> past at all from either server (See messages from BIND 9.5.1-P1 server below
> ).
It always was. Named now uses connected UDP sockets so the
error codes make it back from the kernel.
> I've installed a newer db.root file by running dig then saving the output to
> db.root. The newer file contained IPv6 style entries, which I've manually re
> moved (about the same time attempts ceased)
>
> I've also tried to force any attempts at using IPv6 and what appear to be iss
> ues resolving .gov domains in my named.conf like this:
To disable the use of IPv6 use "named -4". I would however
recommend that you get yourself IPv6 connectivity instead.
> options {
> edns-udp-size 512;
> max-udp-size 512;
Unless you have a firewall or NAT that has trouble with
EDNS packets of particular sizes you should not need to set
these. If you do need to set these then you really should
look at replacing/reconfiguring the offending box.
> listen-on-v6 { none; };
> };
>
> logging {
> category lame-servers {null;};
> category edns-disabled {null;};
> };
>
>
> The issues that I was seeing with .gov sites resulted in this type of error i
> n my logfile:
>
> Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re
> solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS
The problem here is "too many timeouts". This may or may
not be related to EDNS.
> Any help would be greatly appreciated, am I missing something obvious, or per
> haps I need to add something else into my configs?
>
> Thank you,
>
>
> .vp
>
>
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
> resolving 'ADNS1.BERKELEY.EDU/AAAA/IN':2001:500:2f::f#53
>
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
> resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
>
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
> resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53
Which are perfectly understandable if you don't have IPv6
connectivity.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list