Clients get DNS timeouts because ipv6 means more queries for each lookup

Kevin Darcy kcd at chrysler.com
Mon Jul 11 21:50:21 UTC 2011 

On 7/11/2011 2:11 PM, Jonathan Kamens wrote:
> The number of DNS queries required for each address lookup requested 
> by a client has gone up considerably because of IPV6. The problem is 
> being exacerbated by the fact that many DNS servers on the net don't 
> yet support IPV6 queries. The result is that address lookups are 
> frequently taking so long that the client gives up before getting the 
> result.
>
> The example I am seeing this with most frequently is my RSS feed 
> reader, rss2email, trying to read a feed from en.wikipedia.org in a 
> cron job that runs every 15 minutes. I am regularly seeing this in the 
> output of the cron job:
>
>     W: Name or service not known [8]
>     http://en.wikipedia.org/w/index.php?title=/[elided]/&feed=atom&action=history
>
> The wikipedia.org domain has three DNS servers. Let's assume that the 
> root and org. nameservers are cached already when rss2email does its 
> query. If so, then it has to do the following queries:
>
>     wikipedia.org DNS
>     en.wikipedia.org AAAA
>     en.wikipedia.org A
>
> This is fine when the wikipedia.org nameservers are working, but let's 
> postulate for the moment that two of them are down, unreachable, or 
> responding slowly, which apparently happens pretty often. Then we end 
> up doing:
>
>     wikipedia.org DNS
>     en.wikipedia.org AAAA /times out
>     /en.wikipedia.org AAAA /times out
>     /en.wikipedia.org AAAA
>     en.wikipedia.org A /times out/
>     en.wikipedia.org A /times out
>     /en.wikipedia.org A
>
> By now the end of that sequence, the typical 30-second DNS request 
> timeout has been exceeded, and the client gives up.
The math isn't working. I just ran a quick test and named (9.7.x) failed 
over from a non-working delegated NS to a working delegated NS in less 
than 30 milliseconds. How are you reaching a 30-*second* timeout 
threshold in only 6 queries?

In practice, it would also be quite unlikely that named would pick 
"dead" nameservers before live ones for *both* the AAAA and the A query. 
At the very least, once the timeouts were encountered for the AAAA 
query, those NSes would be penalized in terms of NS selection, so they 
are unlikely to be chosen *again*, ahead of the working NS, for the A 
query. Any en.wikipedia.org NSes which were found to be *persistently* 
broken, would gravitate to the bottom of the selection list, and be 
tried approximately never.

I think maybe you need to probe deeper and find out what _else_ is going on.

                                                                         
                                                                         
                                             - Kevin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110711/3f9b1469/attachment.html>

More information about the bind-users mailing list